From d90dcfc076a58e4a1ff50a9e8fa6d9bd0b34e8ae Mon Sep 17 00:00:00 2001
From: Dave McCormack <dmccorma@cisco.com>
Date: Thu, 22 Aug 2024 18:31:39 +0100
Subject: [PATCH] Added Script Activity event class. (#1159)

#### Related Issue:

https://github.com/ocsf/ocsf-schema/issues/1156

#### Description of changes:

Added a Script Activity event class to the System category as described
in the related issue.

Signed-off-by: Dave McCormack <dmccorma@cisco.com>
Co-authored-by: Paul Agbabian <pagbabian@splunk.com>
---
 CHANGELOG.md                              |  1 +
 dictionary.json                           | 16 ++++++
 events/system/script.json                 | 21 ++++++++
 extensions/windows/objects/evidences.json |  1 +
 objects/evidences.json                    |  7 ++-
 objects/script.json                       | 63 +++++++++++++++++++++++
 6 files changed, 108 insertions(+), 1 deletion(-)
 create mode 100644 events/system/script.json
 create mode 100644 objects/script.json

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 245574d8f..0a6ef991d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -42,6 +42,7 @@ Thankyou! -->
 ### Added
 * #### Event Classes
     1. Added `OSINT Inventory Info` event class to the Discovery category. #1154
+    2. Added `Script Activity` event class to the System category. #1159
 
 ### Improved
 * #### Objects
diff --git a/dictionary.json b/dictionary.json
index fe0c06be5..1a2f2275e 100644
--- a/dictionary.json
+++ b/dictionary.json
@@ -3199,6 +3199,11 @@
       "description": "The parent process of this process object. It is recommended to only populate this field for the first process object, to prevent deep nesting.",
       "type": "process"
     },
+    "parent_uid": {
+      "caption": "Parent Unique ID",
+      "description": "The unique identifier of an object's parent object. See specific usage.",
+      "type": "string_t"
+    },
     "path": {
       "caption": "Path",
       "description": "The path that pertains to the event or object. See specific usage.",
@@ -3929,6 +3934,17 @@
         }
       }
     },
+    "script": {
+      "caption": "Script",
+      "description": "The script object.",
+      "type": "script"
+    },
+    "script_content": {
+      "observable": 36,
+      "caption": "Script Content",
+      "description": "The script content, normalized to UTF-8 encoding irrespective of its original encoding.",
+      "type": "string_t"
+    },
     "section_a": {
       "caption": "JA4 Section A",
       "description": "The 'a' section of the JA4 fingerprint.",
diff --git a/events/system/script.json b/events/system/script.json
new file mode 100644
index 000000000..06830137d
--- /dev/null
+++ b/events/system/script.json
@@ -0,0 +1,21 @@
+{
+  "caption": "Script Activity",
+  "description": "Script Activity events report when a process executes a script.",
+  "extends": "system",
+  "name": "script_activity",
+  "uid": 9,
+  "attributes": {
+    "activity_id": {
+      "enum": {
+        "1": {
+          "caption": "Execute"
+        }
+      }
+    },
+    "script": {
+      "description": "The script that was the target of the activity.",
+      "group": "primary",
+      "requirement": "required"
+    }
+  }
+}
diff --git a/extensions/windows/objects/evidences.json b/extensions/windows/objects/evidences.json
index 9b4dff146..e8086b8e8 100644
--- a/extensions/windows/objects/evidences.json
+++ b/extensions/windows/objects/evidences.json
@@ -34,6 +34,7 @@
       "url",
       "user",
       "job",
+      "script",
       "reg_key",
       "reg_value",
       "win_service"
diff --git a/objects/evidences.json b/objects/evidences.json
index 8b41cc88c..95f431f20 100644
--- a/objects/evidences.json
+++ b/objects/evidences.json
@@ -71,6 +71,10 @@
     "job": {
       "description": "Describes details about the scheduled job that was associated with the activity that triggered the detection.",
       "requirement": "recommended"
+    },
+    "script": {
+      "description": "Describes details about the script that was associated with the activity that triggered the detection.",
+      "requirement": "recommended"
     }
   },
   "constraints": {
@@ -90,7 +94,8 @@
       "src_endpoint",
       "url",
       "user",
-      "job"
+      "job",
+      "script"
     ]
   }
 }
\ No newline at end of file
diff --git a/objects/script.json b/objects/script.json
new file mode 100644
index 000000000..6050053a1
--- /dev/null
+++ b/objects/script.json
@@ -0,0 +1,63 @@
+{
+  "caption": "Script",
+  "description": "The Script object describes a script or command that can be executed by a shell, script engine, or interpreter. Examples include Bash, JavsScript, PowerShell, Python, VBScript, etc. Note that the term <em>script</em> here denotes not only a script contained within a file but also a script or command typed interactively by a user, supplied on the command line, or provided by some other file-less mechanism.",
+  "extends": "object",
+  "name": "script",
+  "attributes": {
+    "file": {
+      "description": "Present if this script is associated with a file. Not present in the case of a file-less script.",
+      "requirement": "optional"
+    },
+    "hashes": {
+      "description": "An array of the script's cryptographic hashes. Note that these hashes are calculated on the script in its original encoding, and not on the normalized UTF-8 encoding found in the <code>script_content</code> attribute.",
+      "requirement": "recommended"
+    },
+    "parent_uid": {
+      "description": "When a script is a dynamically executed sub-script, and when the underlying script engine supports use of the <code>uid</code> attribute, this <code>parent_uid</code> attribute identifies the parent script.",
+      "requirement": "optional"
+    },
+    "script_content": {
+      "requirement": "required"
+    },
+    "type": {
+      "description": "The script type, normalized to the caption of the <code>type_id</code> value. In the case of 'Other', it is defined by the event source.",
+      "requirement": "optional"
+    },
+    "type_id": {
+      "description": "The normalized script type ID.",
+      "requirement": "required",
+      "enum": {
+        "0": {
+          "caption": "Unknown",
+          "description": "The script type is unknown."
+        },
+        "1": {
+          "caption": "Windows Command Prompt"
+        },
+        "2": {
+          "caption": "PowerShell"
+        },
+        "3": {
+          "caption": "Python"
+        },
+        "4": {
+          "caption": "JavaScript"
+        },
+        "5": {
+          "caption": "VBScript"
+        },
+        "6": {
+          "caption": "Unix Shell"
+        },
+        "99": {
+          "caption": "Other",
+          "description": "The script type is not mapped. See the <code>type</code> attribute which contains an event source specific value."
+        }
+      }
+    },
+    "uid": {
+      "description": "Some script engines assign a unique ID to each individual execution of a given script, e.g. PowerShell's Script Block ID. This <code>uid</code> attribute enables a dynamically executed sub-script to refer to its parent.",
+      "requirement": "optional"
+    }
+  }
+}