Script

script

The Script object describes a script or command that can be executed by a shell, script engine, or interpreter. Examples include Bash, JavsScript, PowerShell, Python, VBScript, etc. Note that the term script here denotes not only a script contained within a file but also a script or command typed interactively by a user, supplied on the command line, or provided by some other file-less mechanism.

Attributes

Caption	Name	Type	Description
File	`file`	File[]	Entity:`FILE` Present if this script is associated with a file. Not present in the case of a file-less script.
Hashes	`hashes`	Fingerprint[]	Entity:`FINGERPRINT` An array of the script's cryptographic hashes. Note that these hashes are calculated on the script in its original encoding, and not on the normalized UTF-8 encoding found in the `script_content` attribute.
Name	`name`	String	Unique identifier for the script or macro, independent of the containing file, used for tracking, auditing, and security analysis.
Parent Unique ID	`parent_uid`	String	This attribute relates a sub-script to a parent script having the matching `uid` attribute. In the case of PowerShell, sub-script execution can be identified by matching the activity correlation ID of the raw ETW events provided by the OS.
Raw Data	`raw_data`	JSON	Group:`context` The event data as received from the event source.
Record ID	`record_id`	String	Group:`primary` Unique identifier for the object
Script Content	`script_content`	Long String[]	Entity:`SCRIPT_CONTENT` The script content, normalized to UTF-8 encoding irrespective of its original encoding. When emitting this attribute, it may be appropriate to truncate large scripts. When consuming this attribute, large scripts should be anticipated.
Type	`type`	String	The script type, normalized to the caption of the `type_id` value. In the case of 'Other', it is defined by the event source.
Type ID	`type_id`	Integer	The normalized script type ID. `0`: Unknown (`UNKNOWN`) `1`: Windows Command Prompt (`WINDOWS_COMMAND_PROMPT`) `2`: PowerShell (`POWERSHELL`) `3`: Python (`PYTHON`) `4`: JavaScript (`JAVASCRIPT`) `5`: VBScript (`VBSCRIPT`) `6`: Unix Shell (`UNIX_SHELL`) `7`: VBA (`VBA`) `99`: Other (`OTHER`)
Unique ID	`uid`	String	Some script engines assign a unique ID to each individual execution of a given script. This attribute captures that unique ID. In the case of PowerShell, the unique ID corresponds to the `ScriptBlockId` in the raw ETW events provided by the OS.
Unmapped	`unmapped`	Unmapped[]	Data from the source that was not mapped into the schema.

Relationships

Inbound Relationships

These objects and events reference Script in their attributes:

Outbound Relationships

Script references the following objects and events in its attributes:

This page describes ocsf-1.4.0