Class: WindowsStartupItem
The startup item object describes an application component that has associated
startup criteria and configurations.
classDiagram
class WindowsStartupItem
click WindowsStartupItem href "../WindowsStartupItem/"
StartupItem <|-- WindowsStartupItem
click StartupItem href "../StartupItem/"
WindowsStartupItem : driver
WindowsStartupItem --> "0..1" KernelDriver : driver
click KernelDriver href "../KernelDriver/"
WindowsStartupItem : job
WindowsStartupItem --> "0..1" Job : job
click Job href "../Job/"
WindowsStartupItem : name
WindowsStartupItem : process
WindowsStartupItem --> "0..1" Process : process
click Process href "../Process/"
WindowsStartupItem : run_mode_ids
WindowsStartupItem --> "*" StartupItemRunModeIdsEnum : run_mode_ids
click StartupItemRunModeIdsEnum href "../StartupItemRunModeIdsEnum/"
WindowsStartupItem : run_modes
WindowsStartupItem : run_state
WindowsStartupItem : run_state_id
WindowsStartupItem --> "0..1 _recommended_" StartupItemRunStateIdEnum : run_state_id
click StartupItemRunStateIdEnum href "../StartupItemRunStateIdEnum/"
WindowsStartupItem : start_type
WindowsStartupItem : start_type_id
WindowsStartupItem --> "1" StartTypeIdEnum : start_type_id
click StartTypeIdEnum href "../StartTypeIdEnum/"
WindowsStartupItem : type
WindowsStartupItem : type_id
WindowsStartupItem --> "0..1 _recommended_" StartupItemTypeIdEnum : type_id
click StartupItemTypeIdEnum href "../StartupItemTypeIdEnum/"
WindowsStartupItem : win_service
WindowsStartupItem --> "0..1" WinService : win_service
click WinService href "../WinService/"
Inheritance
- OcsfObject
- StartupItem
- WindowsStartupItem
- StartupItem
Slots
| Name | Cardinality and Range | Description | Inheritance |
|---|---|---|---|
| win_service | 0..1 WinService |
The startup item Windows service resource | direct |
| driver | 0..1 KernelDriver |
The startup item kernel driver resource | StartupItem |
| job | 0..1 Job |
The startup item job resource | StartupItem |
| name | 1 String |
The unique name of the startup item | StartupItem |
| process | 0..1 Process |
The startup item process resource | StartupItem |
| run_mode_ids | * StartupItemRunModeIdsEnum |
The list of normalized identifiers that describe the startup items' propertie... | StartupItem |
| run_modes | * String |
The list of run_modes, normalized to the captions of the run_mode_id values | StartupItem |
| run_state | 0..1 String |
The run state of the startup item | StartupItem |
| run_state_id | 0..1 recommended StartupItemRunStateIdEnum |
The run state ID of the startup item | StartupItem |
| start_type | 0..1 String |
The start type of the startup item | StartupItem |
| start_type_id | 1 StartTypeIdEnum |
The start type ID of the startup item | StartupItem |
| type | 0..1 String |
The startup item type | StartupItem |
| type_id | 0..1 recommended StartupItemTypeIdEnum |
The startup item type identifier | StartupItem |
Rules
| Rule Applied | Preconditions | Postconditions | Elseconditions |
|---|---|---|---|
| exactly_one_of | [{'slot_conditions': {'driver': {'required': True}}}, {'slot_conditions': {'job': {'required': True}}}, {'slot_conditions': {'process': {'required': True}}}, {'slot_conditions': {'win_service': {'required': True}}}] |
In Subsets
Aliases
- Startup Item
Identifier and Mapping Information
Annotations
| property | value |
|---|---|
| ocsf_constraints | {"just_one": ["driver", "job", "process", "win_service"]} |
| ocsf_extension | windows |
Schema Source
- from schema: https://w3id.org/lmodel/ocsf
Mappings
| Mapping Type | Mapped Value |
|---|---|
| self | ocsf:WindowsStartupItem |
| native | ocsf:WindowsStartupItem |
LinkML Source
Direct
name: WindowsStartupItem
annotations:
ocsf_constraints:
tag: ocsf_constraints
value: '{"just_one": ["driver", "job", "process", "win_service"]}'
ocsf_extension:
tag: ocsf_extension
value: windows
description: 'The startup item object describes an application component that has
associated
startup criteria and configurations.'
in_subset:
- windows_extension_subset
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Startup Item
is_a: StartupItem
slots:
- win_service
slot_usage:
win_service:
name: win_service
description: The startup item Windows service resource.
rules:
- postconditions:
exactly_one_of:
- slot_conditions:
driver:
name: driver
required: true
- slot_conditions:
job:
name: job
required: true
- slot_conditions:
process:
name: process
required: true
- slot_conditions:
win_service:
name: win_service
required: true
description: 'OCSF just_one: exactly one of [''driver'', ''job'', ''process'', ''win_service'']
must
be set.'
Induced
name: WindowsStartupItem
annotations:
ocsf_constraints:
tag: ocsf_constraints
value: '{"just_one": ["driver", "job", "process", "win_service"]}'
ocsf_extension:
tag: ocsf_extension
value: windows
description: 'The startup item object describes an application component that has
associated
startup criteria and configurations.'
in_subset:
- windows_extension_subset
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Startup Item
is_a: StartupItem
slot_usage:
win_service:
name: win_service
description: The startup item Windows service resource.
attributes:
win_service:
name: win_service
annotations:
ocsf_extension:
tag: ocsf_extension
value: windows
description: The startup item Windows service resource.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Windows Service
rank: 1000
alias: win_service
owner: WindowsStartupItem
domain_of:
- WindowsEvidences
- WindowsStartupItem
- WindowsServiceActivity
range: WinService
driver:
name: driver
description: The startup item kernel driver resource.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Kernel Driver
rank: 1000
alias: driver
owner: WindowsStartupItem
domain_of:
- StartupItem
- KernelExtensionActivity
range: KernelDriver
job:
name: job
description: The startup item job resource.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Job
rank: 1000
alias: job
owner: WindowsStartupItem
domain_of:
- QueryEvidence
- StartupItem
- Evidences
- JobQuery
- ScheduledJobActivity
range: Job
name:
name: name
description: The unique name of the startup item.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Name
rank: 1000
alias: name
owner: WindowsStartupItem
domain_of:
- AnalysisTarget
- Observable
- Os
- Osint
- Package
- Parameter
- PrivilegeInfo
- San
- Scim
- Script
- ServicePrivilegeAnalysis
- SoftwareComponent
- Sso
- StartupItem
- ThreatActor
- Token
- Entity
- Resource
- Account
- Agent
- AiModel
- Aircraft
- Analytic
- ApplicationObject
- Assessment
- AutonomousSystem
- Campaign
- Check
- CisBenchmark
- CisBenchmarkResult
- CisControl
- ClassifierDetails
- Container
- D3fTactic
- D3fTechnique
- Database
- Databucket
- DomainContact
- Edge
- Endpoint
- Enrichment
- EnvironmentVariable
- Evidences
- Extension
- Feature
- File
- Graph
- Group
- HttpCookie
- HttpHeader
- Idp
- Image
- Job
- Kernel
- KeyValueObject
- LoadBalancer
- Logger
- Malware
- ManagedEntity
- MessageContext
- Metric
- Mitigation
- NetworkInterface
- Node
- Organization
- PeripheralDevice
- Policy
- ProcessEntity
- Product
- QueryInfo
- Reporter
- ResourceDetails
- Rule
- Scan
- Service
- SubTechnique
- Table
- Tactic
- Technique
- Trait
- TransformationInfo
- UnmannedAerialSystem
- User
- WebResource
- Device
- FtpActivity
- RegValue
- WinResource
- WinService
- PrefetchQuery
range: string
required: true
process:
name: process
description: The startup item process resource.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Process
rank: 1000
alias: process
owner: WindowsStartupItem
domain_of:
- QueryEvidence
- StartupItem
- Actor
- Evidences
- ModuleQuery
- NetworkConnectionQuery
- ProcessQuery
- SecurityFinding
- ProcessRemediationActivity
- MemoryActivity
- ProcessActivity
range: Process
run_mode_ids:
name: run_mode_ids
annotations:
sibling:
tag: sibling
value: run_modes
description: 'The list of normalized identifiers that describe the startup items''
properties
when it is running. Use this field to capture extended information about the
process, which may depend on the type of startup item. E.g., A Windows service
that interacts with the desktop.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Run Mode IDs
rank: 1000
alias: run_mode_ids
owner: WindowsStartupItem
domain_of:
- StartupItem
range: StartupItemRunModeIdsEnum
multivalued: true
run_modes:
name: run_modes
description: 'The list of run_modes, normalized to the captions of the run_mode_id
values.
In the case of ''Other'', they are defined by the event source.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Run Modes
rank: 1000
alias: run_modes
owner: WindowsStartupItem
domain_of:
- StartupItem
range: string
multivalued: true
run_state:
name: run_state
description: The run state of the startup item.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Run State
rank: 1000
alias: run_state
owner: WindowsStartupItem
domain_of:
- StartupItem
- Job
range: string
run_state_id:
name: run_state_id
annotations:
sibling:
tag: sibling
value: run_state
description: The run state ID of the startup item.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Run State ID
rank: 1000
alias: run_state_id
owner: WindowsStartupItem
domain_of:
- StartupItem
- Job
range: StartupItemRunStateIdEnum
recommended: true
start_type:
name: start_type
description: The start type of the startup item.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Start Type
rank: 1000
alias: start_type
owner: WindowsStartupItem
domain_of:
- StartupItem
range: string
start_type_id:
name: start_type_id
annotations:
sibling:
tag: sibling
value: start_type
description: The start type ID of the startup item.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Start Type ID
rank: 1000
alias: start_type_id
owner: WindowsStartupItem
domain_of:
- StartupItem
range: StartTypeIdEnum
required: true
type:
name: type
description: The startup item type.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Type
rank: 1000
alias: type
owner: WindowsStartupItem
domain_of:
- AnalysisTarget
- Observable
- Os
- Osint
- Package
- PrivilegeInfo
- ProgrammaticCredential
- RelatedEvent
- San
- Sbom
- Script
- SoftwareComponent
- StartupItem
- ThreatActor
- Ticket
- Timespan
- TlsExtension
- Token
- Dns
- Resource
- Account
- Agent
- Analytic
- ApplicationObject
- AuthenticationToken
- ClassifierDetails
- Cve
- Database
- Databucket
- DiscoveryDetails
- DnsAnswer
- DomainContact
- EncryptionDetails
- Endpoint
- Enrichment
- File
- Graph
- Group
- Ja4Fingerprint
- Kernel
- ManagedEntity
- Metadata
- Module
- NetworkEndpoint
- NetworkInterface
- Node
- PeripheralDevice
- Policy
- Rule
- Scan
- Trait
- UnmannedAerialSystem
- UnmannedSystemOperatingArea
- User
- WebResource
- Device
- DatastoreActivity
- FtpActivity
- RegValue
- WinResource
range: string
type_id:
name: type_id
annotations:
sibling:
tag: sibling
value: type
description: The startup item type identifier.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Type ID
rank: 1000
alias: type_id
owner: WindowsStartupItem
domain_of:
- Observable
- Os
- Osint
- Package
- PrivilegeInfo
- Sbom
- Script
- SoftwareComponent
- StartupItem
- ThreatActor
- Ticket
- Timespan
- TlsExtension
- Token
- Account
- Agent
- Analytic
- AuthenticationToken
- Database
- Databucket
- DomainContact
- Endpoint
- File
- Ja4Fingerprint
- Kernel
- ManagedEntity
- NetworkEndpoint
- NetworkInterface
- PeripheralDevice
- Scan
- UnmannedAerialSystem
- UnmannedSystemOperatingArea
- User
- Device
- DatastoreActivity
- RegValue
- WinResource
range: StartupItemTypeIdEnum
recommended: true
rules:
- postconditions:
exactly_one_of:
- slot_conditions:
driver:
name: driver
required: true
- slot_conditions:
job:
name: job
required: true
- slot_conditions:
process:
name: process
required: true
- slot_conditions:
win_service:
name: win_service
required: true
description: 'OCSF just_one: exactly one of [''driver'', ''job'', ''process'', ''win_service'']
must
be set.'