Scheduled Task/Job T1053 is a widely-used technique to implement the tactics of Execution, Persistence, and Privilege Escalation. The OCSF schema's Scheduled Job Activity event class covers this, with the Job object providing detail.
Unfortunately, the Evidence Artifacts object doesn't have a job attribute and this means that a Detection Finding event triggered in part or in full by a Scheduled Job Activity event cannot include details of the implicated job. I see this as a significant gap.
I will create a very short PR to add the job attribute to the Evidence Artifacts object. Note that this issue is very similar to one that I raised and fixed previously, albeit this new issue is simpler to address because it is not platform specific.
Scheduled Task/Job T1053 is a widely-used technique to implement the tactics of Execution, Persistence, and Privilege Escalation. The OCSF schema's
Scheduled Job Activity
event class covers this, with theJob
object providing detail.Unfortunately, the
Evidence Artifacts
object doesn't have ajob
attribute and this means that aDetection Finding
event triggered in part or in full by aScheduled Job Activity
event cannot include details of the implicated job. I see this as a significant gap.I will create a very short PR to add the
job
attribute to theEvidence Artifacts
object. Note that this issue is very similar to one that I raised and fixed previously, albeit this new issue is simpler to address because it is not platform specific.