Script

Entity:FILE
Present if this script is associated with a file. Not present in the case of a file-less script.

Entity:FINGERPRINT
An array of the script's cryptographic hashes. Note that these hashes are calculated on the script in its original encoding, and not on the normalized UTF-8 encoding found in the script_content attribute.

Unique identifier for the script or macro, independent of the containing file, used for tracking, auditing, and security analysis.

This attribute relates a sub-script to a parent script having the matching uid attribute. In the case of PowerShell, sub-script execution can be identified by matching the activity correlation ID of the raw ETW events provided by the OS.

Group:context
The event data as received from the event source.

Group:primary
Unique identifier for the object

Entity:SCRIPT_CONTENT
The script content, normalized to UTF-8 encoding irrespective of its original encoding. When emitting this attribute, it may be appropriate to truncate large scripts. When consuming this attribute, large scripts should be anticipated.

The script type, normalized to the caption of the type_id value. In the case of 'Other', it is defined by the event source.

The normalized script type ID.

• 0: Unknown (UNKNOWN)
• 1: Windows Command Prompt (WINDOWS_COMMAND_PROMPT)
• 2: PowerShell (POWERSHELL)
• 3: Python (PYTHON)
• 4: JavaScript (JAVASCRIPT)
• 5: VBScript (VBSCRIPT)
• 6: Unix Shell (UNIX_SHELL)
• 7: VBA (VBA)
• 99: Other (OTHER)

Some script engines assign a unique ID to each individual execution of a given script. This attribute captures that unique ID. In the case of PowerShell, the unique ID corresponds to the ScriptBlockId in the raw ETW events provided by the OS.

Data from the source that was not mapped into the schema.