Scheduled Task/Job T1053 is a widely-used technique to implement the tactics of Execution, Persistence, and Privilege Escalation. The OCSF schema's Scheduled Job Activity event class covers this, with the Job object providing detail.
Unfortunately, the Evidence Artifacts object doesn't have a job attribute and this means that a Detection Finding event triggered in part or in full by a Scheduled Job Activity event cannot include details of the implicated job. I see this as a significant gap.
I will create a very short PR to add the job attribute to the Evidence Artifacts object. Note that this issue is very similar to one that I raised and fixed previously, albeit this new issue is simpler to address because it is not platform specific.
Scheduled Task/Job T1053 is a widely-used technique to implement the tactics of Execution, Persistence, and Privilege Escalation. The OCSF schema's
Scheduled Job Activityevent class covers this, with theJobobject providing detail.Unfortunately, the
Evidence Artifactsobject doesn't have ajobattribute and this means that aDetection Findingevent triggered in part or in full by aScheduled Job Activityevent cannot include details of the implicated job. I see this as a significant gap.I will create a very short PR to add the
jobattribute to theEvidence Artifactsobject. Note that this issue is very similar to one that I raised and fixed previously, albeit this new issue is simpler to address because it is not platform specific.