Service

service

The Service object describes characteristics of a service, e.g. AWS EC2.

Contents

Attributes

Caption Name Type Is Array Default Description
Command Line cmd_line String The full command line used to launch an application, service, process, or job. For example: ssh user@10.0.0.10. If the command line is unavailable or missing, the empty string '' is to be used

Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0

File file File The service file object.

Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0

Labels labels String The list of labels associated with the service.
Loaded Module loaded_module_name String The name of the module loaded by the service.

Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0

Name name String The name of the service.
Raw Data raw_data JSON The event data as received from the event source.
Record ID record_id String Unique identifier for the object
Run State run_state String The service run state.

Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0

Run State ID run_state_id Integer The service run state ID.

Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0

-1
Other
0
Unknown
1
Stopped
2
Start Pending
3
Stop Pending
4
Running
5
Continue Pending
6
Pause Pending
7
Paused
Start Type start_type String The service start type.

Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0

Start Type ID start_type_id Integer The service start type ID.

Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0

-1
Other
0
Unknown
1
Auto
10
System Changed
2
Boot
3
Demand
4
System
5
Disabled
6
All Logins
7
Specific User Login
8
Interactive Login
9
Scheduled
Type IDs type_ids Integer The service type identifiers.

Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0

-1
Other
0
Unknown
1
Adapter
2
File System Driver
3
Kernel Driver
4
Recognized Driver
5
Own Process
6
Shared Process
7
Interactive
8
Other
9
Autoload
Types types String The service types.

Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0

Unique ID uid String The unique identifier of the service.
Unmapped Data unmapped Unmapped The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.
Version version String The version of the service.

References

Referenced By

Context

Service

JSON

            
{
  "caption": "Service",
  "description": "The Service object describes characteristics of a service, <code> e.g. AWS EC2. </code>",
  "extends": "_entity",
  "name": "service",
  "attributes": {
    "labels": {
      "description": "The list of labels associated with the service.",
      "requirement": "optional",
      "caption": "Labels",
      "is_array": true,
      "type": "string_t"
    },
    "name": {
      "description": "The name of the service.",
      "requirement": "recommended",
      "caption": "Name",
      "type": "string_t"
    },
    "uid": {
      "description": "The unique identifier of the service.",
      "requirement": "recommended",
      "caption": "Unique ID",
      "type": "string_t"
    },
    "version": {
      "description": "The version of the service.",
      "requirement": "recommended",
      "caption": "Version",
      "type": "string_t"
    },
    "raw_data": {
      "group": "context",
      "caption": "Raw Data",
      "description": "The event data as received from the event source.",
      "type": "json_t"
    },
    "record_id": {
      "description": "Unique identifier for the object",
      "group": "primary",
      "requirement": "required",
      "caption": "Record ID",
      "type": "string_t"
    },
    "unmapped": {
      "caption": "Unmapped Data",
      "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.",
      "type": "unmapped",
      "is_array": true
    },
    "types": {
      "description": "The service types.",
      "requirement": "optional",
      "caption": "Types",
      "is_array": true,
      "type": "string_t",
      "@deprecated": {
        "since": "1.1.0",
        "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
      }
    },
    "run_state": {
      "description": "The service run state.",
      "requirement": "optional",
      "caption": "Run State",
      "type": "string_t",
      "@deprecated": {
        "since": "1.1.0",
        "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
      }
    },
    "run_state_id": {
      "description": "The service run state ID.",
      "requirement": "required",
      "enum": {
        "0": {
          "caption": "Unknown",
          "description": "The service run state is unknown."
        },
        "1": {
          "caption": "Stopped",
          "description": "The service is not running."
        },
        "2": {
          "caption": "Start Pending",
          "description": "The service is starting."
        },
        "3": {
          "caption": "Stop Pending",
          "description": "The service is stopping."
        },
        "4": {
          "caption": "Running",
          "description": "The service is running."
        },
        "5": {
          "caption": "Continue Pending",
          "description": "The service continue is pending."
        },
        "6": {
          "caption": "Pause Pending",
          "description": "The service pause is pending."
        },
        "7": {
          "caption": "Paused",
          "description": "The service is paused."
        },
        "-1": {
          "caption": "Other",
          "description": "The service run state is other."
        }
      },
      "caption": "Run State ID",
      "sibling": "run_state",
      "type": "integer_t",
      "@deprecated": {
        "since": "1.1.0",
        "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
      }
    },
    "start_type_id": {
      "description": "The service start type ID.",
      "requirement": "required",
      "caption": "Start Type ID",
      "enum": {
        "-1": {
          "caption": "Other",
          "description": "The start type is not mapped. See the <code>start_type</code> attribute, which contains a data source specific value."
        },
        "0": {
          "caption": "Unknown",
          "description": "The startup type is unknown."
        },
        "1": {
          "caption": "Auto",
          "description": "Started automatically during system startup."
        },
        "10": {
          "caption": "System Changed",
          "description": "Started when a system item, such as a file or registry key, changes."
        },
        "2": {
          "caption": "Boot",
          "description": "Started by the system loader."
        },
        "3": {
          "caption": "Demand",
          "description": "Started on demand. For example, by the Window service control manager when a process calls the <i>StartService</i> function."
        },
        "4": {
          "caption": "System",
          "description": "Started by the <i>IoInitSystem</i> function."
        },
        "5": {
          "caption": "Disabled",
          "description": "Disabled."
        },
        "6": {
          "caption": "All Logins",
          "description": "Started on any user login."
        },
        "7": {
          "caption": "Specific User Login",
          "description": "Started when on a specific user login."
        },
        "8": {
          "caption": "Interactive Login",
          "description": "Started on interactive logins."
        },
        "9": {
          "caption": "Scheduled",
          "description": "Stared according to a schedule."
        }
      },
      "type": "integer_t",
      "@deprecated": {
        "since": "1.1.0",
        "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
      }
    },
    "start_type": {
      "description": "The service start type.",
      "requirement": "optional",
      "caption": "Start Type",
      "type": "string_t",
      "@deprecated": {
        "since": "1.1.0",
        "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
      }
    },
    "file": {
      "description": "The service file object.",
      "requirement": "required",
      "caption": "File",
      "type": "file",
      "@deprecated": {
        "since": "1.1.0",
        "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
      }
    },
    "cmd_line": {
      "requirement": "recommended",
      "caption": "Command Line",
      "description": "The full command line used to launch an application, service, process, or job. For example: <code>ssh user@10.0.0.10</code>. If the command line is unavailable or missing, the empty string <code>''</code> is to be used",
      "type": "string_t",
      "@deprecated": {
        "since": "1.1.0",
        "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
      },
      "observable": 13
    },
    "loaded_module_name": {
      "requirement": "recommended",
      "caption": "Loaded Module",
      "description": "The name of the module loaded by the service.",
      "type": "string_t",
      "@deprecated": {
        "since": "1.1.0",
        "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
      }
    },
    "type_ids": {
      "description": "The service type identifiers.",
      "requirement": "required",
      "caption": "Type IDs",
      "enum": {
        "-1": {
          "caption": "Other",
          "description": "The service type is not mapped. See the <code>types</code> attribute, which contains a data source specific values."
        },
        "0": {
          "caption": "Unknown",
          "description": "The type is unknown"
        },
        "1": {
          "caption": "Adapter",
          "description": "Adapter"
        },
        "2": {
          "caption": "File System Driver",
          "description": "File system driver"
        },
        "3": {
          "caption": "Kernel Driver",
          "description": "Device driver"
        },
        "4": {
          "caption": "Recognized Driver",
          "description": "Recognized Driver"
        },
        "5": {
          "caption": "Own Process",
          "description": "The application runs in its own process"
        },
        "6": {
          "caption": "Shared Process",
          "description": "The application shares a process with other services"
        },
        "7": {
          "caption": "Interactive",
          "description": "The service can interact with the desktop"
        },
        "8": {
          "caption": "Other",
          "description": "U/X, OS X service"
        },
        "9": {
          "caption": "Autoload",
          "description": "The Mac OS X Autoload Application"
        }
      },
      "is_array": true,
      "type": "integer_t",
      "@deprecated": {
        "since": "1.1.0",
        "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
      }
    }
  },
  "constraints": {
    "at_least_one": [
      "name",
      "uid"
    ]
  }
}