ocsf · floydtree · Sep 4, 2024 · Jun 25, 2024 · Jun 25, 2024 · Jun 25, 2024
@@ -47,6 +47,7 @@ Thankyou! -->
     2. Added `Remediation Activity` `File Remediation Activity` `Process Remediation Activity` `Network Remediation Activity` event classes. #1066
     3. Added `Windows Service Activity` event class to the Windows extension. #1103
     4. Added `Software Inventory Info` event class to the Discovery category. #1134
+    5. Added `Startup Application Query` event class. #1119
 * #### Profiles
     1. Added `osint` Profile based on `osint` object. #992
 * #### Objects

@@ -3671,6 +3671,19 @@
       "description": "The rules that reported the events.",
       "type": "rule"
     },
+    "run_mode_ids": {
+      "caption": "Run Mode IDs",
+      "description": "The list of normalized identifiers that describe application attributes.",
+      "type": "integer_t",
+      "enum": {},
+      "is_array": true
+    },
+    "run_modes": {
+      "caption": "Run Modes",
+      "description": "The list of run_modes, normalized to the captions of the run_mode_ids values.  In the case of 'Other', they are defined by the event source.",
+      "type": "string_t",
+      "is_array": true
+    },
     "run_state": {
       "caption": "Run State",
       "description": "The state of the job or service, normalized to the caption of the run_state_id value. In the case of 'Other', it is defined by the event source. See specific usage.",
@@ -4068,6 +4081,63 @@
       "description": "The start time of a time period. See specific usage.",
       "type": "timestamp_t"
     },
+    "start_type": {
+      "caption": "Start Type",
+      "description": "The start type of a service, driver, or application.",
+      "type": "string_t"
+    },
+    "start_type_id": {
+      "caption": "Start Type ID",
+      "description": "The start type ID of a service or application.",
+      "enum": {
+        "0": {
+          "caption": "Unknown",
+          "description": "The start type is unknown."
+        },
+        "1": {
+          "caption": "Auto",
+          "description": "Service started automatically during system startup."
+        },
+        "2": {
+          "caption": "Boot",
+          "description": "Device driver started by the system loader."
+        },
+        "3": {
+          "caption": "On Demand",
+          "description": "Started on demand. For example, by the Window service control manager when a process calls the <i>StartService</i> function."
+        },
+        "4": {
+          "caption": "Disabled",
+          "description": "The service is disabled, and cannot be started."
+        },
+        "5": {
+          "caption": "All Logins",
+          "description": "Started on all user logins."
+        },
+        "6": {
+          "caption": "Specific User Login",
+          "description": "Started on specific user logins."
+        },
+        "7": {
+          "caption": "Scheduled",
+          "description": "Stared according to a schedule."
+        },
+        "8": {
+          "caption": "System Changed",
+          "description": "Started when a system item, such as a file or registry key, changes."
+        },
+        "99": {
+          "caption": "Other",
+          "description": "The start type is not mapped. See the <code>start_type</code> attribute, which contains a data source specific value."
+        }
+      },
+      "type": "integer_t"
+    },
+    "startup_app": {
+      "caption": "Startup Application",
+      "description": "The startup application object describes an application that has associated startup criteria and configurations.",
+      "type": "startup_app"
+    },
     "state": {
       "caption": "State",
       "description": "The state of the event or object, normalized to the caption of the state_id value. In the case of 'Other', it is defined by the event source. See specific usage.",

diff --git a/events/discovery/startup_app_query.json b/events/discovery/startup_app_query.json
@@ -0,0 +1,13 @@
+{
+  "caption": "Startup Application Query",
+  "description": "Startup Application Query events report information about discovered startup applications.",
+  "extends": "discovery_result",
+  "name": "startup_app_query",
+  "uid": 21,
+  "attributes": {
+    "startup_app": {
+      "group": "primary",
+      "requirement": "required"
+    }
+  }
+}
diff --git a/objects/startup_app.json b/objects/startup_app.json
@@ -0,0 +1,171 @@
+{
+  "caption": "Startup Application",
+  "name": "startup_app",
+  "description": "The startup application object describes an application that has associated startup criteria and configurations.",
+  "attributes": {
+    "name": {
+      "description": "The unique name of the startup application.",
+      "requirement": "required"
+    },
+    "run_modes": {
+      "description": "The list of run_modes, normalized to the captions of the run_mode_id values.  In the case of 'Other', they are defined by the event source.",
+      "requirement": "optional"
+    },
+    "run_mode_ids": {
+      "description": "The list of normalized identifiers that describe application attributes.",
+      "requirement": "optional",
+      "enum": {
+        "0": {
+          "caption": "Interactive",
+          "description": "The application interacts with the desktop."
+        },
+        "1": {
+          "caption": "Own Process",
+          "description": "The application runs in its own process."
+        },
+        "2": {
+          "caption": "Shared Process",
+          "description": "The application runs in a shared process."
+        },
+        "99": {
+          "caption": "Other"
+        }
+      }
+    },
+    "run_state": {
+      "description": "The run state of the startup application.",
+      "requirement": "optional"
+    },
+    "run_state_id": {
+      "description": "The run state ID of the startup application.",
+      "requirement": "recommended",
+      "enum": {
+        "0": {
+          "caption": "Unknown",
+          "description": "The run state is unknown."
+        },
+        "1": {
+          "caption": "Stopped",
+          "description": "The sercie is not running."
+        },
+        "2": {
+          "caption": "Start Pending",
+          "description": "The service is starting."
+        },
+        "3": {
+          "caption": "Stop Pending",
+          "description": "The service is stopping."
+        },
+        "4": {
+          "caption": "Running",
+          "description": "The service is running."
+        },
+        "5": {
+          "caption": "Continue Pending",
+          "description": "The service is pending continue."
+        },
+        "6": {
+          "caption": "Pause Pending",
+          "description": "The service is pending pause."
+        },
+        "7": {
+          "caption": "Paused",
+          "description": "The service is paused."
+        },
+        "8": {
+          "caption": "Restart Pending",
+          "description": "The service is pending restart."
+        },
+        "99": {
+          "caption": "Other",
+          "description": "The run state is not mapped. See the <code>run_state</code> attribute, which contains data source specific values."
+        }
+      }
+    },
+    "start_type": {
+      "description": "The start type of the startup application.",
+      "requirement": "optional"
+    },
+    "start_type_id": {
+      "description": "The start type ID of the startup application.",
+      "requirement": "required"
+    },
+    "type": {
+      "caption": "Type",
+      "description": "The startup application type.",
+      "type": "string_t"
+    },
+    "type_id": {
+      "caption": "Type ID",
+      "description": "The startup application type identifier.",
+      "enum": {
+        "0": {
+          "caption": "Unknown",
+          "description": "The type is unknown."
+        },
+        "1": {
+          "caption": "Kernel Mode Driver",
+          "description": "Kernel mode Operating System driver."
+        },
+        "2": {
+          "caption": "User Mode Driver",
+          "description": "User mode Operating System driver."
+        },
+        "3": {
+          "caption": "Service",
+          "description": "An executable background process typically managed by the Operating System."
+        },
+        "4": {
+          "caption": "User Mode Application",
+          "description": "An application that runs in the user space."
+        },
+        "5": {
+          "caption": "Autoload",
+          "description": "The macOS Autoload Application."
+        },
+        "6": {
+          "caption": "System Extension",
+          "description": "System extensions on macOS enables 3rd parties to extend the capabilities of macOS."
+        },
+        "7": {
+          "caption": "Kernel Extension",
+          "description": "Kernel extensions on macOS includes Apple provided pre-installs and 3rd party installs which enables support for specific hardware or software features not natively supported by macOS."
+        },
+        "8": {
+          "caption": "Scheduled Job, Task",
+          "description": "A job or task that runs on a configured schedule."
+        },
+        "99": {
+          "caption": "Other",
+          "description": "The startup application type is not mapped. See the <code>type</code> attribute, which contains data source specific values."
+        }
+      },
+      "type": "integer_t"
+    },
+    "driver": {
+      "description": "The startup application kernel driver resource.",
+      "requirement": "optional"
+    },
+    "job": {
+      "description": "The startup application job resource.",
+      "requirement": "optional"
+    },
+    "process": {
+      "description": "The startup application process resource.",
+      "requirement": "optional"
+    },
+    "win/win_service": {
+      "caption": "Windows Service",
+      "description": "The startup application windows service resource.",
+      "requirement": "optional"
+    }
+  },
+  "constraints": {
+    "just_one": [
+      "driver",
+      "job",
+      "process",
+      "win_service"
+    ]
+  }
+}