https://unifiedcyberontology.org/ontology/uco/observable#WindowsTaskFacet
A Windows Task facet is a grouping of characteristics unique to a Windows Task (a process that is scheduled to execute on a Windows operating system by the Windows Task Scheduler). [based on http://msdn.microsoft.com/en-us/library/windows/desktop/aa381311(v=vs.85).aspx]
Instances of observable:WindowsTaskFacet can have the following properties:
| PROPERTY | TYPE | DESCRIPTION | RANGE |
|---|---|---|---|
| From class owl:Thing | |||
| investigation:authorizationIdentifier | owl:DatatypeProperty | The identifier for a particular authorization (e.g. warrant number) | xsd:string |
| investigation:authorizationType | owl:DatatypeProperty | A label categorizing a type of authorization (e.g. warrant) | xsd:string |
| investigation:exhibitNumber | owl:DatatypeProperty | Specifies a unique identifier assigned to a given object at any stage of an investigation to differentiate it from all other objects. | xsd:string |
| investigation:focus | owl:DatatypeProperty | Specifies the topical focus of an investigation. | xsd:string |
| investigation:investigationForm | owl:DatatypeProperty | A label categorizing a type of investigation (case, incident, suspicious-activity, etc.) | vocab:InvestigationFormVocab |
| investigation:investigationStatus | owl:DatatypeProperty | A label characterizing the status of an investigation (open, closed, etc.). | xsd:string |
| investigation:relevantAuthorization | owl:ObjectProperty | Specifies an authorization relevant to a particular investigation. | investigation:Authorization |
| investigation:rootExhibitNumber | owl:DatatypeProperty | Specifies a unique identifier assigned to a given object at the start of its treatment as part of an investigation. The first node in a provenance chain, which can be viewed as a heirarchical tree originating from a single root. | xsd:string |
By the associated SHACL property shapes, instances of observable:WindowsTaskFacet can have the following properties:
PROPERTY |
PROPERTY TYPE |
DESCRIPTION |
MIN COUNT |
MAX COUNT |
LOCAL RANGE |
GLOBAL RANGE |
|
|---|---|---|---|---|---|---|---|
| observable:WindowsTaskFacet | |||||||
| observable:account | owl:ObjectProperty |
Specifies the account used to run the scheduled task. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa381228(v=vs.85).aspx.
|
0 | 1 |
observable:ObservableObject
|
observable:ObservableObject
|
|
| observable:accountLogonType | owl:DatatypeProperty |
Specifies the security logon method required to run the tasks associated with the account. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa383013(v=vs.85).aspx.
|
0 | 1 |
xsd:string
|
xsd:string
|
|
| observable:accountRunLevel | owl:DatatypeProperty |
Specifies the permission level of the account that the task will be run at.
|
0 | 1 |
xsd:string
|
xsd:string
|
|
| observable:actionList | owl:ObjectProperty |
Specifies a list of actions to be performed by the scheduled task.
|
0 | * |
observable:TaskActionType
|
observable:TaskActionType
|
|
| observable:application | owl:ObjectProperty |
The application associated with this object.
|
0 | 1 |
observable:ObservableObject
|
observable:ObservableObject
|
|
| observable:exitCode | owl:DatatypeProperty |
Specifies the last exit code of the scheduled task. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa381245(v=vs.85).aspx.
|
0 | 1 |
xsd:integer
|
xsd:integer
|
|
| observable:flags | owl:DatatypeProperty |
Specifies any flags that modify the behavior of the scheduled task. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa381248(v=vs.85).aspx.
|
0 | * |
vocabulary1:TaskFlagVocab
|
vocabulary1:TaskFlagVocab
|
|
| observable:imageName | owl:DatatypeProperty |
Specifies the image name for the task.
|
0 | 1 |
xsd:string
|
xsd:string
|
|
| observable:maxRunTime | owl:DatatypeProperty |
Specifies the maximum run time of the scheduled task before terminating, in milliseconds. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa381874(v=vs.85).aspx.
|
0 | 1 |
xsd:integer
|
xsd:integer
|
|
| observable:mostRecentRunTime | owl:DatatypeProperty |
Specifies the most recent run date/time of this scheduled task. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa381254(v=vs.85).aspx.
|
0 | 1 |
xsd:dateTime
|
xsd:dateTime
|
|
| observable:nextRunTime | owl:DatatypeProperty |
Specifies the next run date/time of the scheduled task. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa381257(v=vs.85).aspx.
|
0 | 1 |
xsd:dateTime
|
xsd:dateTime
|
|
| observable:observableCreatedTime | owl:DatatypeProperty |
The date and time at which the observable object being characterized was created. This time pertains to an intrinsic characteristic of the observable object, and would be consistent across independent characterizations or observations of the observable object.
|
0 | 1 |
xsd:dateTime
|
xsd:dateTime
|
|
| observable:parameters | owl:DatatypeProperty |
Specifies the command line parameters used to launch the scheduled task. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa381875(v=vs.85).aspx.
|
0 | 1 |
xsd:string
|
xsd:string
|
|
| observable:priority | owl:DatatypeProperty |
The priority of the email.
|
0 | 1 |
vocabulary1:TaskPriorityVocab
|
owl:Thing | |
| observable:status | owl:DatatypeProperty |
Specifies a list of statuses for a given Whois entry.
|
0 | 1 |
vocabulary1:TaskStatusVocab
|
owl:Thing | |
| observable:taskComment | owl:DatatypeProperty |
Specifies a comment for the scheduled task. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa381232(v=vs.85).aspx.
|
0 | 1 |
xsd:string
|
xsd:string
|
|
| observable:taskCreator | owl:DatatypeProperty |
Specifies the name of the creator of the scheduled task. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa381235(v=vs.85).aspx.
|
0 | 1 |
xsd:string
|
xsd:string
|
|
| observable:triggerList | owl:ObjectProperty |
Specifies a set of triggers used by the scheduled task. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa383264(v=vs.85).aspx.
|
0 | * |
observable:TriggerType
|
observable:TriggerType
|
|
| observable:workItemData | owl:ObjectProperty |
Specifies application defined data associated with the scheduled task. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa381271(v=vs.85).aspx.
|
0 | 1 |
observable:ObservableObject
|
observable:ObservableObject
|
|
| observable:workingDirectory | owl:ObjectProperty |
Specifies the working directory for the scheduled task. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa381878(v=vs.85).aspx.
|
0 | 1 |
observable:ObservableObject
|
observable:ObservableObject
|
|
@prefix core: <https://unifiedcyberontology.org/ontology/uco/core#> .
@prefix observable: <https://unifiedcyberontology.org/ontology/uco/observable#> .
@prefix owl: <http://www.w3.org/2002/07/owl#> .
@prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> .
@prefix sh: <http://www.w3.org/ns/shacl#> .
@prefix vocabulary1: <https://unifiedcyberontology.org/ontology/uco/vocabulary#> .
@prefix xsd: <http://www.w3.org/2001/XMLSchema#> .
observable:WindowsTaskFacet a owl:Class,
sh:NodeShape ;
rdfs:label "WindowsTaskFacet"@en ;
rdfs:comment "A Windows Task facet is a grouping of characteristics unique to a Windows Task (a process that is scheduled to execute on a Windows operating system by the Windows Task Scheduler). [based on http://msdn.microsoft.com/en-us/library/windows/desktop/aa381311(v=vs.85).aspx]"@en ;
rdfs:subClassOf core:Facet ;
sh:property [ sh:class observable:ObservableObject ;
sh:maxCount 1 ;
sh:nodeKind sh:BlankNodeOrIRI ;
sh:path observable:account ],
[ sh:class observable:ObservableObject ;
sh:maxCount 1 ;
sh:nodeKind sh:BlankNodeOrIRI ;
sh:path observable:application ],
[ sh:class observable:ObservableObject ;
sh:maxCount 1 ;
sh:nodeKind sh:BlankNodeOrIRI ;
sh:path observable:workItemData ],
[ sh:class observable:ObservableObject ;
sh:maxCount 1 ;
sh:nodeKind sh:BlankNodeOrIRI ;
sh:path observable:workingDirectory ],
[ sh:class observable:TaskActionType ;
sh:nodeKind sh:BlankNodeOrIRI ;
sh:path observable:actionList ],
[ sh:class observable:TriggerType ;
sh:nodeKind sh:BlankNodeOrIRI ;
sh:path observable:triggerList ],
[ sh:datatype xsd:dateTime ;
sh:maxCount 1 ;
sh:nodeKind sh:Literal ;
sh:path observable:mostRecentRunTime ],
[ sh:datatype xsd:dateTime ;
sh:maxCount 1 ;
sh:nodeKind sh:Literal ;
sh:path observable:nextRunTime ],
[ sh:datatype xsd:dateTime ;
sh:maxCount 1 ;
sh:nodeKind sh:Literal ;
sh:path observable:observableCreatedTime ],
[ sh:datatype xsd:integer ;
sh:maxCount 1 ;
sh:nodeKind sh:Literal ;
sh:path observable:exitCode ],
[ sh:datatype xsd:integer ;
sh:maxCount 1 ;
sh:nodeKind sh:Literal ;
sh:path observable:maxRunTime ],
[ sh:datatype xsd:string ;
sh:maxCount 1 ;
sh:nodeKind sh:Literal ;
sh:path observable:accountLogonType ],
[ sh:datatype xsd:string ;
sh:maxCount 1 ;
sh:nodeKind sh:Literal ;
sh:path observable:accountRunLevel ],
[ sh:datatype xsd:string ;
sh:maxCount 1 ;
sh:nodeKind sh:Literal ;
sh:path observable:imageName ],
[ sh:datatype xsd:string ;
sh:maxCount 1 ;
sh:nodeKind sh:Literal ;
sh:path observable:parameters ],
[ sh:datatype xsd:string ;
sh:maxCount 1 ;
sh:nodeKind sh:Literal ;
sh:path observable:taskComment ],
[ sh:datatype xsd:string ;
sh:maxCount 1 ;
sh:nodeKind sh:Literal ;
sh:path observable:taskCreator ],
[ sh:datatype vocabulary1:TaskFlagVocab ;
sh:nodeKind sh:Literal ;
sh:path observable:flags ],
[ sh:datatype vocabulary1:TaskPriorityVocab ;
sh:maxCount 1 ;
sh:nodeKind sh:Literal ;
sh:path observable:priority ],
[ sh:datatype vocabulary1:TaskStatusVocab ;
sh:maxCount 1 ;
sh:nodeKind sh:Literal ;
sh:path observable:status ] ;
sh:targetClass observable:WindowsTaskFacet .