Class: WinService
The Windows Service object describes a Windows service.
URI: ocsf:WinService
classDiagram
class WinService
click WinService href "../WinService/"
Service <|-- WinService
click Service href "../Service/"
WinService : cmd_line
WinService : hosting_process
WinService --> "0..1" ProcessEntity : hosting_process
click ProcessEntity href "../ProcessEntity/"
WinService : labels
WinService : load_order_group
WinService : name
WinService : service_category
WinService : service_category_id
WinService --> "0..1 _recommended_" WindowsServiceCategoryIdEnum : service_category_id
click WindowsServiceCategoryIdEnum href "../WindowsServiceCategoryIdEnum/"
WinService : service_dependencies
WinService : service_dll_file
WinService --> "0..1" File : service_dll_file
click File href "../File/"
WinService : service_error_control
WinService : service_error_control_id
WinService --> "0..1 _recommended_" WindowsServiceErrorControlIdEnum : service_error_control_id
click WindowsServiceErrorControlIdEnum href "../WindowsServiceErrorControlIdEnum/"
WinService : service_file
WinService --> "0..1 _recommended_" File : service_file
click File href "../File/"
WinService : service_start_name
WinService : service_start_type
WinService : service_start_type_id
WinService --> "0..1 _recommended_" WindowsServiceStartTypeIdEnum : service_start_type_id
click WindowsServiceStartTypeIdEnum href "../WindowsServiceStartTypeIdEnum/"
WinService : service_type
WinService : service_type_id
WinService --> "0..1 _recommended_" WindowsServiceTypeIdEnum : service_type_id
click WindowsServiceTypeIdEnum href "../WindowsServiceTypeIdEnum/"
WinService : tags
WinService --> "*" KeyValueObject : tags
click KeyValueObject href "../KeyValueObject/"
WinService : uid
WinService : version
Inheritance
Slots
| Name | Cardinality and Range | Description | Inheritance |
|---|---|---|---|
| cmd_line | 0..1 recommended String |
The full command line used to launch the service | direct |
| hosting_process | 0..1 ProcessEntity |
The process that is hosting this service | direct |
| load_order_group | 0..1 recommended String |
The name of the load ordering group of which this service is a member | direct |
| name | 1 recommended String |
The unique name of the service | direct |
| service_category | 0..1 String |
The service category, normalized to the caption of the service_category_id | direct |
| service_category_id | 0..1 recommended WindowsServiceCategoryIdEnum |
The normalized identifier of the service category | direct |
| service_dependencies | * recommended String |
The names of other services upon which this service has a dependency | direct |
| service_dll_file | 0..1 File |
For a shared user mode service (service_type_id is 4) this is th... |
direct |
| service_error_control | 0..1 String |
The service error control, normalized to the caption of the | direct |
| service_error_control_id | 0..1 recommended WindowsServiceErrorControlIdEnum |
The normalized identifier of the service error control | direct |
| service_file | 0..1 recommended File |
For a user mode service (service_type_id 3 or 4) this is the |
direct |
| service_start_name | 0..1 recommended String |
For a user mode service, this attribute represents the name of the account | direct |
| service_start_type | 0..1 String |
The service start type, normalized to the caption of the | direct |
| service_start_type_id | 0..1 recommended WindowsServiceStartTypeIdEnum |
The normalized identifier of the service start type | direct |
| service_type | 0..1 String |
The service type, normalized to the caption of the service_type_id value | direct |
| service_type_id | 0..1 recommended WindowsServiceTypeIdEnum |
The normalized identifier of the service type | direct |
| labels | * String |
The list of labels associated with the service | Service |
| tags | * KeyValueObject |
The list of tags; {key:value} pairs associated to the service |
Service |
| uid | 0..1 recommended String |
The unique identifier of the service | Entity, Service |
| version | 0..1 recommended String |
The version of the service | Service |
Usages
| used by | used in | type | used |
|---|---|---|---|
| WindowsEvidences | win_service | range | WinService |
| WindowsProcess | hosted_services | range | WinService |
| WindowsStartupItem | win_service | range | WinService |
| WindowsServiceActivity | win_service | range | WinService |
Rules
| Rule Applied | Preconditions | Postconditions | Elseconditions |
|---|---|---|---|
| any_of | [{'slot_conditions': {'cmd_line': {'required': True}}}, {'slot_conditions': {'service_category_id': {'required': True}}}, {'slot_conditions': {'service_dependencies': {'required': True}}}, {'slot_conditions': {'service_error_control_id': {'required': True}}}, {'slot_conditions': {'service_start_name': {'required': True}}}, {'slot_conditions': {'service_start_type_id': {'required': True}}}, {'slot_conditions': {'service_type_id': {'required': True}}}] |
In Subsets
Aliases
- Windows Service
Identifier and Mapping Information
Annotations
| property | value |
|---|---|
| ocsf_constraints | {"at_least_one": ["cmd_line", "service_category_id", "service_dependencies", |
| "service_error_control_id", "service_start_name", "service_start_type_id", | |
| "service_type_id"]} | |
| ocsf_extension | windows |
Schema Source
- from schema: https://w3id.org/lmodel/ocsf
Mappings
| Mapping Type | Mapped Value |
|---|---|
| self | ocsf:WinService |
| native | ocsf:WinService |
| close | uco_master:WindowsActiveDirectoryAccount |
LinkML Source
Direct
name: WinService
annotations:
ocsf_constraints:
tag: ocsf_constraints
value: '{"at_least_one": ["cmd_line", "service_category_id", "service_dependencies",
"service_error_control_id", "service_start_name", "service_start_type_id",
"service_type_id"]}'
ocsf_extension:
tag: ocsf_extension
value: windows
description: The Windows Service object describes a Windows service.
in_subset:
- windows_extension_subset
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Windows Service
close_mappings:
- uco_master:WindowsActiveDirectoryAccount
is_a: Service
slots:
- cmd_line
- hosting_process
- load_order_group
- name
- service_category
- service_category_id
- service_dependencies
- service_dll_file
- service_error_control
- service_error_control_id
- service_file
- service_start_name
- service_start_type
- service_start_type_id
- service_type
- service_type_id
slot_usage:
cmd_line:
name: cmd_line
description: The full command line used to launch the service.
recommended: true
load_order_group:
name: load_order_group
recommended: true
name:
name: name
description: The unique name of the service.
required: true
service_category_id:
name: service_category_id
recommended: true
service_dependencies:
name: service_dependencies
recommended: true
service_error_control_id:
name: service_error_control_id
recommended: true
service_file:
name: service_file
recommended: true
service_start_name:
name: service_start_name
recommended: true
service_start_type_id:
name: service_start_type_id
recommended: true
service_type_id:
name: service_type_id
recommended: true
rules:
- postconditions:
any_of:
- slot_conditions:
cmd_line:
name: cmd_line
required: true
- slot_conditions:
service_category_id:
name: service_category_id
required: true
- slot_conditions:
service_dependencies:
name: service_dependencies
required: true
- slot_conditions:
service_error_control_id:
name: service_error_control_id
required: true
- slot_conditions:
service_start_name:
name: service_start_name
required: true
- slot_conditions:
service_start_type_id:
name: service_start_type_id
required: true
- slot_conditions:
service_type_id:
name: service_type_id
required: true
description: 'OCSF at_least_one: at least one of [''cmd_line'', ''service_category_id'',
''service_dependencies'', ''service_error_control_id'', ''service_start_name'',
''service_start_type_id'', ''service_type_id''] must be set.'
Induced
name: WinService
annotations:
ocsf_constraints:
tag: ocsf_constraints
value: '{"at_least_one": ["cmd_line", "service_category_id", "service_dependencies",
"service_error_control_id", "service_start_name", "service_start_type_id",
"service_type_id"]}'
ocsf_extension:
tag: ocsf_extension
value: windows
description: The Windows Service object describes a Windows service.
in_subset:
- windows_extension_subset
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Windows Service
close_mappings:
- uco_master:WindowsActiveDirectoryAccount
is_a: Service
slot_usage:
cmd_line:
name: cmd_line
description: The full command line used to launch the service.
recommended: true
load_order_group:
name: load_order_group
recommended: true
name:
name: name
description: The unique name of the service.
required: true
service_category_id:
name: service_category_id
recommended: true
service_dependencies:
name: service_dependencies
recommended: true
service_error_control_id:
name: service_error_control_id
recommended: true
service_file:
name: service_file
recommended: true
service_start_name:
name: service_start_name
recommended: true
service_start_type_id:
name: service_start_type_id
recommended: true
service_type_id:
name: service_type_id
recommended: true
attributes:
cmd_line:
name: cmd_line
annotations:
observable_id:
tag: observable_id
value: 13
description: The full command line used to launch the service.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Command Line
rank: 1000
alias: cmd_line
owner: WinService
domain_of:
- Job
- ProcessEntity
- WinService
range: string
recommended: true
hosting_process:
name: hosting_process
annotations:
ocsf_extension:
tag: ocsf_extension
value: windows
description: The process that is hosting this service.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Hosting Process
rank: 1000
alias: hosting_process
owner: WinService
domain_of:
- WinService
range: ProcessEntity
load_order_group:
name: load_order_group
annotations:
ocsf_extension:
tag: ocsf_extension
value: windows
description: The name of the load ordering group of which this service is a member.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Load Order Group
rank: 1000
alias: load_order_group
owner: WinService
domain_of:
- WinService
range: string
recommended: true
name:
name: name
description: The unique name of the service.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Name
rank: 1000
alias: name
owner: WinService
domain_of:
- AnalysisTarget
- Observable
- Os
- Osint
- Package
- Parameter
- PrivilegeInfo
- San
- Scim
- Script
- ServicePrivilegeAnalysis
- SoftwareComponent
- Sso
- StartupItem
- ThreatActor
- Token
- Entity
- Resource
- Account
- Agent
- AiModel
- Aircraft
- Analytic
- ApplicationObject
- Assessment
- AutonomousSystem
- Campaign
- Check
- CisBenchmark
- CisBenchmarkResult
- CisControl
- ClassifierDetails
- Container
- D3fTactic
- D3fTechnique
- Database
- Databucket
- DomainContact
- Edge
- Endpoint
- Enrichment
- EnvironmentVariable
- Evidences
- Extension
- Feature
- File
- Graph
- Group
- HttpCookie
- HttpHeader
- Idp
- Image
- Job
- Kernel
- KeyValueObject
- LoadBalancer
- Logger
- Malware
- ManagedEntity
- MessageContext
- Metric
- Mitigation
- NetworkInterface
- Node
- Organization
- PeripheralDevice
- Policy
- ProcessEntity
- Product
- QueryInfo
- Reporter
- ResourceDetails
- Rule
- Scan
- Service
- SubTechnique
- Table
- Tactic
- Technique
- Trait
- TransformationInfo
- UnmannedAerialSystem
- User
- WebResource
- Device
- FtpActivity
- RegValue
- WinResource
- WinService
- PrefetchQuery
range: string
required: true
recommended: true
service_category:
name: service_category
annotations:
ocsf_extension:
tag: ocsf_extension
value: windows
description: 'The service category, normalized to the caption of the service_category_id
value. In the case of ''Other'', it is defined by the event source.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Service Category
rank: 1000
alias: service_category
owner: WinService
domain_of:
- WinService
range: string
service_category_id:
name: service_category_id
annotations:
ocsf_extension:
tag: ocsf_extension
value: windows
description: The normalized identifier of the service category.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Service Category ID
rank: 1000
alias: service_category_id
owner: WinService
domain_of:
- WinService
range: WindowsServiceCategoryIdEnum
recommended: true
service_dependencies:
name: service_dependencies
annotations:
ocsf_extension:
tag: ocsf_extension
value: windows
description: The names of other services upon which this service has a dependency.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Service Dependencies
rank: 1000
alias: service_dependencies
owner: WinService
domain_of:
- WinService
range: string
recommended: true
multivalued: true
service_dll_file:
name: service_dll_file
annotations:
ocsf_extension:
tag: ocsf_extension
value: windows
description: 'For a shared user mode service (<code>service_type_id</code> is
4) this is the
DLL that gets loaded by the generic service host process (e.g.
<code>svchost.exe</code>) to implement the service.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Service DLL
rank: 1000
alias: service_dll_file
owner: WinService
domain_of:
- WinService
range: File
service_error_control:
name: service_error_control
annotations:
ocsf_extension:
tag: ocsf_extension
value: windows
description: 'The service error control, normalized to the caption of the
<code>service_error_control_id</code> value. In the case of ''Other'', it is
defined by the event source.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Service Error Control
rank: 1000
alias: service_error_control
owner: WinService
domain_of:
- WinService
range: string
service_error_control_id:
name: service_error_control_id
annotations:
ocsf_extension:
tag: ocsf_extension
value: windows
description: The normalized identifier of the service error control.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Service Error Control ID
rank: 1000
alias: service_error_control_id
owner: WinService
domain_of:
- WinService
range: WindowsServiceErrorControlIdEnum
recommended: true
service_file:
name: service_file
annotations:
ocsf_extension:
tag: ocsf_extension
value: windows
description: 'For a user mode service (<code>service_type_id</code> 3 or 4) this
is the
executable program that the SCM launches as the service process.<br>For a
kernel mode driver (<code>service_type_id</code> 1 or 2) this is the driver
file loaded into the kernel at the request of the SCM.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Service File
rank: 1000
alias: service_file
owner: WinService
domain_of:
- WinService
range: File
recommended: true
service_start_name:
name: service_start_name
annotations:
ocsf_extension:
tag: ocsf_extension
value: windows
description: 'For a user mode service, this attribute represents the name of the
account
under which the service is run. For a kernel mode driver, this attribute
represents the object name used to load the driver.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Service Start Name
rank: 1000
alias: service_start_name
owner: WinService
domain_of:
- WinService
range: string
recommended: true
service_start_type:
name: service_start_type
annotations:
ocsf_extension:
tag: ocsf_extension
value: windows
description: 'The service start type, normalized to the caption of the
<code>service_start_type_id</code> value. In the case of ''Other'', it is defined
by the event source.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Service Start Type
rank: 1000
alias: service_start_type
owner: WinService
domain_of:
- WinService
range: string
service_start_type_id:
name: service_start_type_id
annotations:
ocsf_extension:
tag: ocsf_extension
value: windows
description: The normalized identifier of the service start type.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Service Start Type ID
rank: 1000
alias: service_start_type_id
owner: WinService
domain_of:
- WinService
range: WindowsServiceStartTypeIdEnum
recommended: true
service_type:
name: service_type
annotations:
ocsf_extension:
tag: ocsf_extension
value: windows
description: 'The service type, normalized to the caption of the service_type_id
value. In
the case of ''Other'', it is defined by the event source.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Service Type
rank: 1000
alias: service_type
owner: WinService
domain_of:
- WinService
range: string
service_type_id:
name: service_type_id
annotations:
ocsf_extension:
tag: ocsf_extension
value: windows
description: The normalized identifier of the service type.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Service Type ID
rank: 1000
alias: service_type_id
owner: WinService
domain_of:
- WinService
range: WindowsServiceTypeIdEnum
recommended: true
labels:
name: labels
description: The list of labels associated with the service.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Labels
rank: 1000
alias: labels
owner: WinService
domain_of:
- Osint
- Resource
- Account
- ApplicationObject
- Container
- Image
- LdapPerson
- Metadata
- Service
range: string
multivalued: true
tags:
name: tags
description: The list of tags; <code>{key:value}</code> pairs associated to the
service.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Tags
rank: 1000
alias: tags
owner: WinService
domain_of:
- RelatedEvent
- Resource
- Account
- ApplicationObject
- Container
- File
- FindingInfo
- Image
- LdapPerson
- Metadata
- Service
range: KeyValueObject
multivalued: true
uid:
name: uid
description: The unique identifier of the service.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Unique ID
rank: 1000
alias: uid
owner: WinService
domain_of:
- Osint
- Package
- ProgrammaticCredential
- RelatedEvent
- Request
- Sbom
- Scim
- Script
- Session
- Span
- Sso
- Ticket
- Token
- Trace
- Entity
- Resource
- Account
- Advisory
- Agent
- AiModel
- Aircraft
- Analytic
- ApplicationObject
- Assessment
- Certificate
- Check
- ClassifierDetails
- Container
- Cve
- Cwe
- D3fTactic
- D3fTechnique
- DataClassification
- Database
- Databucket
- DomainContact
- Edge
- Email
- Endpoint
- Evidences
- Extension
- Feature
- File
- FindingObject
- FindingInfo
- Graph
- Group
- HttpRequest
- Idp
- Image
- KbArticle
- LoadBalancer
- Logger
- Malware
- ManagedEntity
- MessageContext
- Metadata
- Mitigation
- NetworkConnectionInfo
- NetworkEndpoint
- NetworkInterface
- Node
- Organization
- PeripheralDevice
- Policy
- ProcessEntity
- Product
- QueryInfo
- Reporter
- Rule
- Scan
- Service
- SubTechnique
- Table
- Tactic
- Technique
- Trait
- TransformationInfo
- UnmannedAerialSystem
- User
- WebResource
- Device
- WinResource
range: string
recommended: true
version:
name: version
description: The version of the service.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Version
rank: 1000
alias: version
owner: WinService
domain_of:
- Os
- Package
- RpcInterface
- Sbom
- Scim
- SoftwareComponent
- Tls
- Agent
- AiModel
- Analytic
- Api
- ApplicationObject
- Attack
- Certificate
- Check
- CisControl
- CisCsc
- Cvss
- D3fend
- Databucket
- Epss
- Extension
- Feature
- File
- HttpRequest
- Logger
- ManagedEntity
- Metadata
- Policy
- Product
- ResourceDetails
- Rule
- Service
- NtpActivity
range: string
recommended: true
rules:
- postconditions:
any_of:
- slot_conditions:
cmd_line:
name: cmd_line
required: true
- slot_conditions:
service_category_id:
name: service_category_id
required: true
- slot_conditions:
service_dependencies:
name: service_dependencies
required: true
- slot_conditions:
service_error_control_id:
name: service_error_control_id
required: true
- slot_conditions:
service_start_name:
name: service_start_name
required: true
- slot_conditions:
service_start_type_id:
name: service_start_type_id
required: true
- slot_conditions:
service_type_id:
name: service_type_id
required: true
description: 'OCSF at_least_one: at least one of [''cmd_line'', ''service_category_id'',
''service_dependencies'', ''service_error_control_id'', ''service_start_name'',
''service_start_type_id'', ''service_type_id''] must be set.'