Windows Service

win_service

The Windows Service object describes a Windows service.

Attributes

Caption	Name	Type	Description
Command Line	`cmd_line`	String	Entity:`COMMAND_LINE` The full command line used to launch the service.
Labels	`labels`	String[]	The list of labels associated with the service.
Load Order Group	`load_order_group`	String	The name of the load ordering group of which this service is a member.
Name	`name`	String	The unique name of the service.
Raw Data	`raw_data`	JSON	Group:`context` The event data as received from the event source.
Record ID	`record_id`	String	Group:`primary` Unique identifier for the object
Service Category	`service_category`	String	The service category, normalized to the caption of the service_category_id value. In the case of 'Other', it is defined by the event source.
Service Category ID	`service_category_id`	Integer	The normalized identifier of the service category. `0`: Unknown (`UNKNOWN`) `1`: Kernel Mode (`KERNEL_MODE`) `2`: User Mode (`USER_MODE`) `99`: Other (`OTHER`)
Service Dependencies	`service_dependencies`	String[]	The names of other services upon which this service has a dependency.
Service Error Control	`service_error_control`	String	The service error control, normalized to the caption of the `service_error_control_id` value. In the case of 'Other', it is defined by the event source.
Service Error Control ID	`service_error_control_id`	Integer	The normalized identifier of the service error control. `0`: Unknown (`UNKNOWN`) `1`: Ignore (`IGNORE`) `2`: Normal (`NORMAL`) `3`: Severe (`SEVERE`) `4`: Critical (`CRITICAL`) `99`: Other (`OTHER`)
Service Start Name	`service_start_name`	String	For a user mode service, this attribute represents the name of the account under which the service is run. For a kernel mode driver, this attribute represents the object name used to load the driver.
Service Start Type	`service_start_type`	String	The service start type, normalized to the caption of the `service_start_type_id` value. In the case of 'Other', it is defined by the event source.
Service Start Type ID	`service_start_type_id`	Integer	The normalized identifier of the service start type. `0`: Unknown (`UNKNOWN`) `1`: Boot (`BOOT`) `2`: System (`SYSTEM`) `3`: Auto (`AUTO`) `4`: Demand (`DEMAND`) `5`: Disabled (`DISABLED`) `99`: Other (`OTHER`)
Service Type	`service_type`	String	The service type, normalized to the caption of the service_type_id value. In the case of 'Other', it is defined by the event source.
Service Type ID	`service_type_id`	Integer	The normalized identifier of the service type. `0`: Unknown (`UNKNOWN`) `1`: Kernel Driver (`KERNEL_DRIVER`) `2`: File System Driver (`FILE_SYSTEM_DRIVER`) `3`: Own Process (`OWN_PROCESS`) `4`: Share Process (`SHARE_PROCESS`) `99`: Other (`OTHER`)
Tags	`tags`	Key:Value object[]	The list of tags; `{key:value}` pairs associated to the service.
Unique ID	`uid`	String	The unique identifier of the service.
Unmapped	`unmapped`	Unmapped[]	Data from the source that was not mapped into the schema.
Version	`version`	String	The version of the service.

Relationships

Inbound Relationships

These objects and events reference Windows Service in their attributes:

Outbound Relationships

Windows Service references the following objects and events in its attributes:

This page describes ocsf-1.4.0