Dave McCormack

#### Related Issue: [#1124](https://github.com/ocsf/ocsf-schema/issues/1124) #### Description of changes: - Added the pre-existing `job` attribute to the `Evidence Artifacts` object. - Adjusted the `at_least_one` constraint in the object to include `job`....

Scheduled Task/Job [T1053](https://attack.mitre.org/versions/v15/techniques/T1053/) is a widely-used technique to implement the tactics of Execution, Persistence, and Privilege Escalation. The OCSF schema's [`Scheduled Job Activity`](https://schema.ocsf.io/1.3.0-dev/classes/scheduled_job_activity) event class covers this, with the [`Job`](https://schema.ocsf.io/1.3.0-dev/objects/job)...

The [`Job`](https://schema.ocsf.io/1.3.0-dev/objects/job) object is used by `Scheduled Job Activity` and `Job Query`. I'm afraid it is a long way from being able to adequately describe Windows scheduled jobs. The biggest...

PR 1159 added the `Script Activity` event class to the schema. It was authored by myself and merged on 22nd August. Within a week of this, I realised on trying...

Activity class required to represent script execution events

3

TL;DR - The schema needs a new activity class to represent script execution events. Most Windows EDR products provide visibility into the execution of PowerShell, Python, VBScript, JavaScript, Office macros,...

The Windows registry's leaf nodes are known as _values_. Each value consists of a name and a data value. The data value is strongly typed from a set of nine...