Class: StartupItem
The startup item object describes an application component that has associated
startup criteria and configurations.
URI: ocsf:StartupItem
classDiagram
class StartupItem
click StartupItem href "../StartupItem/"
OcsfObject <|-- StartupItem
click OcsfObject href "../OcsfObject/"
StartupItem <|-- WindowsStartupItem
click WindowsStartupItem href "../WindowsStartupItem/"
StartupItem : driver
StartupItem --> "0..1" KernelDriver : driver
click KernelDriver href "../KernelDriver/"
StartupItem : job
StartupItem --> "0..1" Job : job
click Job href "../Job/"
StartupItem : name
StartupItem : process
StartupItem --> "0..1" Process : process
click Process href "../Process/"
StartupItem : run_mode_ids
StartupItem --> "*" StartupItemRunModeIdsEnum : run_mode_ids
click StartupItemRunModeIdsEnum href "../StartupItemRunModeIdsEnum/"
StartupItem : run_modes
StartupItem : run_state
StartupItem : run_state_id
StartupItem --> "0..1 _recommended_" StartupItemRunStateIdEnum : run_state_id
click StartupItemRunStateIdEnum href "../StartupItemRunStateIdEnum/"
StartupItem : start_type
StartupItem : start_type_id
StartupItem --> "1" StartTypeIdEnum : start_type_id
click StartTypeIdEnum href "../StartTypeIdEnum/"
StartupItem : type
StartupItem : type_id
StartupItem --> "0..1 _recommended_" StartupItemTypeIdEnum : type_id
click StartupItemTypeIdEnum href "../StartupItemTypeIdEnum/"
Inheritance
- OcsfObject
- StartupItem
Slots
| Name | Cardinality and Range | Description | Inheritance |
|---|---|---|---|
| driver | 0..1 KernelDriver |
The startup item kernel driver resource | direct |
| job | 0..1 Job |
The startup item job resource | direct |
| name | 1 String |
The unique name of the startup item | direct |
| process | 0..1 Process |
The startup item process resource | direct |
| run_mode_ids | * StartupItemRunModeIdsEnum |
The list of normalized identifiers that describe the startup items' propertie... | direct |
| run_modes | * String |
The list of run_modes, normalized to the captions of the run_mode_id values | direct |
| run_state | 0..1 String |
The run state of the startup item | direct |
| run_state_id | 0..1 recommended StartupItemRunStateIdEnum |
The run state ID of the startup item | direct |
| start_type | 0..1 String |
The start type of the startup item | direct |
| start_type_id | 1 StartTypeIdEnum |
The start type ID of the startup item | direct |
| type | 0..1 String |
The startup item type | direct |
| type_id | 0..1 recommended StartupItemTypeIdEnum |
The startup item type identifier | direct |
Usages
| used by | used in | type | used |
|---|---|---|---|
| QueryEvidence | startup_item | range | StartupItem |
| StartupItemQuery | startup_item | range | StartupItem |
| WindowsQueryEvidence | startup_item | range | StartupItem |
Rules
| Rule Applied | Preconditions | Postconditions | Elseconditions |
|---|---|---|---|
| exactly_one_of | [{'slot_conditions': {'driver': {'required': True}}}, {'slot_conditions': {'job': {'required': True}}}, {'slot_conditions': {'process': {'required': True}}}] |
In Subsets
Aliases
- Startup Item
Identifier and Mapping Information
Annotations
| property | value |
|---|---|
| ocsf_constraints | {"just_one": ["driver", "job", "process"]} |
Schema Source
- from schema: https://w3id.org/lmodel/ocsf
Mappings
| Mapping Type | Mapped Value |
|---|---|
| self | ocsf:StartupItem |
| native | ocsf:StartupItem |
LinkML Source
Direct
name: StartupItem
annotations:
ocsf_constraints:
tag: ocsf_constraints
value: '{"just_one": ["driver", "job", "process"]}'
description: 'The startup item object describes an application component that has
associated
startup criteria and configurations.'
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Startup Item
is_a: OcsfObject
slots:
- driver
- job
- name
- process
- run_mode_ids
- run_modes
- run_state
- run_state_id
- start_type
- start_type_id
- type
- type_id
slot_usage:
driver:
name: driver
description: The startup item kernel driver resource.
job:
name: job
description: The startup item job resource.
name:
name: name
description: The unique name of the startup item.
required: true
process:
name: process
description: The startup item process resource.
run_mode_ids:
name: run_mode_ids
description: 'The list of normalized identifiers that describe the startup items''
properties
when it is running. Use this field to capture extended information about the
process, which may depend on the type of startup item. E.g., A Windows service
that interacts with the desktop.'
range: StartupItemRunModeIdsEnum
run_modes:
name: run_modes
description: 'The list of run_modes, normalized to the captions of the run_mode_id
values.
In the case of ''Other'', they are defined by the event source.'
run_state:
name: run_state
description: The run state of the startup item.
run_state_id:
name: run_state_id
description: The run state ID of the startup item.
range: StartupItemRunStateIdEnum
recommended: true
start_type:
name: start_type
description: The start type of the startup item.
start_type_id:
name: start_type_id
description: The start type ID of the startup item.
required: true
type:
name: type
description: The startup item type.
type_id:
name: type_id
description: The startup item type identifier.
range: StartupItemTypeIdEnum
recommended: true
rules:
- postconditions:
exactly_one_of:
- slot_conditions:
driver:
name: driver
required: true
- slot_conditions:
job:
name: job
required: true
- slot_conditions:
process:
name: process
required: true
description: 'OCSF just_one: exactly one of [''driver'', ''job'', ''process''] must
be set.'
Induced
name: StartupItem
annotations:
ocsf_constraints:
tag: ocsf_constraints
value: '{"just_one": ["driver", "job", "process"]}'
description: 'The startup item object describes an application component that has
associated
startup criteria and configurations.'
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Startup Item
is_a: OcsfObject
slot_usage:
driver:
name: driver
description: The startup item kernel driver resource.
job:
name: job
description: The startup item job resource.
name:
name: name
description: The unique name of the startup item.
required: true
process:
name: process
description: The startup item process resource.
run_mode_ids:
name: run_mode_ids
description: 'The list of normalized identifiers that describe the startup items''
properties
when it is running. Use this field to capture extended information about the
process, which may depend on the type of startup item. E.g., A Windows service
that interacts with the desktop.'
range: StartupItemRunModeIdsEnum
run_modes:
name: run_modes
description: 'The list of run_modes, normalized to the captions of the run_mode_id
values.
In the case of ''Other'', they are defined by the event source.'
run_state:
name: run_state
description: The run state of the startup item.
run_state_id:
name: run_state_id
description: The run state ID of the startup item.
range: StartupItemRunStateIdEnum
recommended: true
start_type:
name: start_type
description: The start type of the startup item.
start_type_id:
name: start_type_id
description: The start type ID of the startup item.
required: true
type:
name: type
description: The startup item type.
type_id:
name: type_id
description: The startup item type identifier.
range: StartupItemTypeIdEnum
recommended: true
attributes:
driver:
name: driver
description: The startup item kernel driver resource.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Kernel Driver
rank: 1000
alias: driver
owner: StartupItem
domain_of:
- StartupItem
- KernelExtensionActivity
range: KernelDriver
job:
name: job
description: The startup item job resource.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Job
rank: 1000
alias: job
owner: StartupItem
domain_of:
- QueryEvidence
- StartupItem
- Evidences
- JobQuery
- ScheduledJobActivity
range: Job
name:
name: name
description: The unique name of the startup item.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Name
rank: 1000
alias: name
owner: StartupItem
domain_of:
- AnalysisTarget
- Observable
- Os
- Osint
- Package
- Parameter
- PrivilegeInfo
- San
- Scim
- Script
- ServicePrivilegeAnalysis
- SoftwareComponent
- Sso
- StartupItem
- ThreatActor
- Token
- Entity
- Resource
- Account
- Agent
- AiModel
- Aircraft
- Analytic
- ApplicationObject
- Assessment
- AutonomousSystem
- Campaign
- Check
- CisBenchmark
- CisBenchmarkResult
- CisControl
- ClassifierDetails
- Container
- D3fTactic
- D3fTechnique
- Database
- Databucket
- DomainContact
- Edge
- Endpoint
- Enrichment
- EnvironmentVariable
- Evidences
- Extension
- Feature
- File
- Graph
- Group
- HttpCookie
- HttpHeader
- Idp
- Image
- Job
- Kernel
- KeyValueObject
- LoadBalancer
- Logger
- Malware
- ManagedEntity
- MessageContext
- Metric
- Mitigation
- NetworkInterface
- Node
- Organization
- PeripheralDevice
- Policy
- ProcessEntity
- Product
- QueryInfo
- Reporter
- ResourceDetails
- Rule
- Scan
- Service
- SubTechnique
- Table
- Tactic
- Technique
- Trait
- TransformationInfo
- UnmannedAerialSystem
- User
- WebResource
- Device
- FtpActivity
- RegValue
- WinResource
- WinService
- PrefetchQuery
range: string
required: true
process:
name: process
description: The startup item process resource.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Process
rank: 1000
alias: process
owner: StartupItem
domain_of:
- QueryEvidence
- StartupItem
- Actor
- Evidences
- ModuleQuery
- NetworkConnectionQuery
- ProcessQuery
- SecurityFinding
- ProcessRemediationActivity
- MemoryActivity
- ProcessActivity
range: Process
run_mode_ids:
name: run_mode_ids
annotations:
sibling:
tag: sibling
value: run_modes
description: 'The list of normalized identifiers that describe the startup items''
properties
when it is running. Use this field to capture extended information about the
process, which may depend on the type of startup item. E.g., A Windows service
that interacts with the desktop.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Run Mode IDs
rank: 1000
alias: run_mode_ids
owner: StartupItem
domain_of:
- StartupItem
range: StartupItemRunModeIdsEnum
multivalued: true
run_modes:
name: run_modes
description: 'The list of run_modes, normalized to the captions of the run_mode_id
values.
In the case of ''Other'', they are defined by the event source.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Run Modes
rank: 1000
alias: run_modes
owner: StartupItem
domain_of:
- StartupItem
range: string
multivalued: true
run_state:
name: run_state
description: The run state of the startup item.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Run State
rank: 1000
alias: run_state
owner: StartupItem
domain_of:
- StartupItem
- Job
range: string
run_state_id:
name: run_state_id
annotations:
sibling:
tag: sibling
value: run_state
description: The run state ID of the startup item.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Run State ID
rank: 1000
alias: run_state_id
owner: StartupItem
domain_of:
- StartupItem
- Job
range: StartupItemRunStateIdEnum
recommended: true
start_type:
name: start_type
description: The start type of the startup item.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Start Type
rank: 1000
alias: start_type
owner: StartupItem
domain_of:
- StartupItem
range: string
start_type_id:
name: start_type_id
annotations:
sibling:
tag: sibling
value: start_type
description: The start type ID of the startup item.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Start Type ID
rank: 1000
alias: start_type_id
owner: StartupItem
domain_of:
- StartupItem
range: StartTypeIdEnum
required: true
type:
name: type
description: The startup item type.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Type
rank: 1000
alias: type
owner: StartupItem
domain_of:
- AnalysisTarget
- Observable
- Os
- Osint
- Package
- PrivilegeInfo
- ProgrammaticCredential
- RelatedEvent
- San
- Sbom
- Script
- SoftwareComponent
- StartupItem
- ThreatActor
- Ticket
- Timespan
- TlsExtension
- Token
- Dns
- Resource
- Account
- Agent
- Analytic
- ApplicationObject
- AuthenticationToken
- ClassifierDetails
- Cve
- Database
- Databucket
- DiscoveryDetails
- DnsAnswer
- DomainContact
- EncryptionDetails
- Endpoint
- Enrichment
- File
- Graph
- Group
- Ja4Fingerprint
- Kernel
- ManagedEntity
- Metadata
- Module
- NetworkEndpoint
- NetworkInterface
- Node
- PeripheralDevice
- Policy
- Rule
- Scan
- Trait
- UnmannedAerialSystem
- UnmannedSystemOperatingArea
- User
- WebResource
- Device
- DatastoreActivity
- FtpActivity
- RegValue
- WinResource
range: string
type_id:
name: type_id
annotations:
sibling:
tag: sibling
value: type
description: The startup item type identifier.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Type ID
rank: 1000
alias: type_id
owner: StartupItem
domain_of:
- Observable
- Os
- Osint
- Package
- PrivilegeInfo
- Sbom
- Script
- SoftwareComponent
- StartupItem
- ThreatActor
- Ticket
- Timespan
- TlsExtension
- Token
- Account
- Agent
- Analytic
- AuthenticationToken
- Database
- Databucket
- DomainContact
- Endpoint
- File
- Ja4Fingerprint
- Kernel
- ManagedEntity
- NetworkEndpoint
- NetworkInterface
- PeripheralDevice
- Scan
- UnmannedAerialSystem
- UnmannedSystemOperatingArea
- User
- Device
- DatastoreActivity
- RegValue
- WinResource
range: StartupItemTypeIdEnum
recommended: true
rules:
- postconditions:
exactly_one_of:
- slot_conditions:
driver:
name: driver
required: true
- slot_conditions:
job:
name: job
required: true
- slot_conditions:
process:
name: process
required: true
description: 'OCSF just_one: exactly one of [''driver'', ''job'', ''process''] must
be set.'