https://ontology.unifiedcyberontology.org/uco/observable/WindowsTaskFacet
A Windows Task facet is a grouping of characteristics unique to a Windows Task (a process that is scheduled to execute on a Windows operating system by the Windows Task Scheduler). [based on http://msdn.microsoft.com/en-us/library/windows/desktop/aa381311(v=vs.85).aspx]
Instances of observable:WindowsTaskFacet can have the following properties:
| PROPERTY | TYPE | DESCRIPTION | RANGE |
|---|---|---|---|
| From class owl:Thing | |||
| types:threadNextItem | owl:ObjectProperty | The link to a next item in a thread. | owl:Thing |
| types:threadPreviousItem | owl:ObjectProperty | A direct link to a previous item in a thread. | owl:Thing |
By the associated SHACL property shapes, instances of observable:WindowsTaskFacet can have the following properties:
PROPERTY |
PROPERTY TYPE |
DESCRIPTION |
MIN COUNT |
MAX COUNT |
LOCAL RANGE |
GLOBAL RANGE |
|
|---|---|---|---|---|---|---|---|
| observable:WindowsTaskFacet | |||||||
| observable:account | owl:ObjectProperty |
Specifies the account referenced in an event log entry or used to run the scheduled task. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa381228(v=vs.85).aspx.
|
1 |
observable:ObservableObject
|
observable:ObservableObject
|
||
| observable:accountLogonType | owl:DatatypeProperty |
Specifies the security logon method required to run the tasks associated with the account. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa383013(v=vs.85).aspx.
|
1 |
xsd:string
|
xsd:string
|
||
| observable:accountRunLevel | owl:DatatypeProperty |
Specifies the permission level of the account that the task will be run at.
|
1 |
xsd:string
|
xsd:string
|
||
| observable:actionList | owl:ObjectProperty |
Specifies a list of actions to be performed by the scheduled task.
|
observable:TaskActionType
|
observable:TaskActionType
|
|||
| observable:application | owl:ObjectProperty |
The application associated with this object.
|
1 |
observable:ObservableObject
|
observable:ObservableObject
|
||
| observable:exitCode | owl:DatatypeProperty |
Specifies the last exit code of the scheduled task. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa381245(v=vs.85).aspx.
|
1 |
xsd:integer
|
xsd:integer
|
||
| observable:flags | owl:DatatypeProperty |
Specifies any flags that modify the behavior of the scheduled task. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa381248(v=vs.85).aspx.
|
vocabulary:TaskFlagVocab
|
owl:Thing | |||
| observable:imageName | owl:DatatypeProperty |
Specifies the image name for the task.
|
1 |
xsd:string
|
xsd:string
|
||
| observable:maxRunTime | owl:DatatypeProperty |
Specifies the maximum run time of the scheduled task before terminating, in milliseconds. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa381874(v=vs.85).aspx.
|
1 |
xsd:integer
|
xsd:integer
|
||
| observable:mostRecentRunTime | owl:DatatypeProperty |
Specifies the most recent run date/time of this scheduled task. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa381254(v=vs.85).aspx.
|
1 |
xsd:dateTime
|
xsd:dateTime
|
||
| observable:nextRunTime | owl:DatatypeProperty |
Specifies the next run date/time of the scheduled task. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa381257(v=vs.85).aspx.
|
1 |
xsd:dateTime
|
xsd:dateTime
|
||
| observable:observableCreatedTime | owl:DatatypeProperty |
The date and time at which the observable object being characterized was created. This time pertains to an intrinsic characteristic of the observable object, and would be consistent across independent characterizations or observations of the observable object.
|
1 |
xsd:dateTime
|
xsd:dateTime
|
||
| observable:parameters | owl:DatatypeProperty |
Specifies the command line parameters used to launch the scheduled task. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa381875(v=vs.85).aspx.
|
1 |
xsd:string
|
xsd:string
|
||
| observable:priority | owl:DatatypeProperty |
The priority of the email.
|
1 |
vocabulary:TaskPriorityVocab
|
owl:Thing | ||
| observable:status | owl:DatatypeProperty |
Specifies a list of statuses for a given Whois entry.
|
1 |
vocabulary:TaskStatusVocab
|
owl:Thing | ||
| observable:taskComment | owl:DatatypeProperty |
Specifies a comment for the scheduled task. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa381232(v=vs.85).aspx.
|
1 |
xsd:string
|
xsd:string
|
||
| observable:taskCreator | owl:DatatypeProperty |
Specifies the name of the creator of the scheduled task. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa381235(v=vs.85).aspx.
|
1 |
xsd:string
|
xsd:string
|
||
| observable:triggerList | owl:ObjectProperty |
Specifies a set of triggers used by the scheduled task. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa383264(v=vs.85).aspx.
|
observable:TriggerType
|
observable:TriggerType
|
|||
| observable:workItemData | owl:ObjectProperty |
Specifies application defined data associated with the scheduled task. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa381271(v=vs.85).aspx.
|
1 |
observable:ObservableObject
|
observable:ObservableObject
|
||
| observable:workingDirectory | owl:ObjectProperty |
Specifies the working directory for the scheduled task. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa381878(v=vs.85).aspx.
|
1 |
observable:ObservableObject
|
observable:ObservableObject
|
||
@prefix core: <https://ontology.unifiedcyberontology.org/uco/core/> .
@prefix observable: <https://ontology.unifiedcyberontology.org/uco/observable/> .
@prefix owl: <http://www.w3.org/2002/07/owl#> .
@prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#> .
@prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> .
@prefix sh: <http://www.w3.org/ns/shacl#> .
@prefix vocabulary: <https://ontology.unifiedcyberontology.org/uco/vocabulary/> .
@prefix xsd: <http://www.w3.org/2001/XMLSchema#> .
observable:WindowsTaskFacet a owl:Class,
sh:NodeShape ;
rdfs:label "WindowsTaskFacet"@en ;
rdfs:comment "A Windows Task facet is a grouping of characteristics unique to a Windows Task (a process that is scheduled to execute on a Windows operating system by the Windows Task Scheduler). [based on http://msdn.microsoft.com/en-us/library/windows/desktop/aa381311(v=vs.85).aspx]"@en ;
rdfs:subClassOf core:Facet ;
sh:property [ sh:class observable:ObservableObject ;
sh:maxCount 1 ;
sh:nodeKind sh:IRI ;
sh:path observable:account ],
[ sh:class observable:ObservableObject ;
sh:maxCount 1 ;
sh:nodeKind sh:IRI ;
sh:path observable:application ],
[ sh:class observable:ObservableObject ;
sh:maxCount 1 ;
sh:nodeKind sh:IRI ;
sh:path observable:workItemData ],
[ sh:class observable:ObservableObject ;
sh:maxCount 1 ;
sh:nodeKind sh:IRI ;
sh:path observable:workingDirectory ],
[ sh:class observable:TaskActionType ;
sh:nodeKind sh:IRI ;
sh:path observable:actionList ],
[ sh:class observable:TriggerType ;
sh:nodeKind sh:IRI ;
sh:path observable:triggerList ],
[ sh:datatype xsd:dateTime ;
sh:maxCount 1 ;
sh:nodeKind sh:Literal ;
sh:path observable:mostRecentRunTime ],
[ sh:datatype xsd:dateTime ;
sh:maxCount 1 ;
sh:nodeKind sh:Literal ;
sh:path observable:nextRunTime ],
[ sh:datatype xsd:dateTime ;
sh:maxCount 1 ;
sh:nodeKind sh:Literal ;
sh:path observable:observableCreatedTime ],
[ sh:datatype xsd:integer ;
sh:maxCount 1 ;
sh:nodeKind sh:Literal ;
sh:path observable:exitCode ],
[ sh:datatype xsd:integer ;
sh:maxCount 1 ;
sh:nodeKind sh:Literal ;
sh:path observable:maxRunTime ],
[ sh:datatype xsd:string ;
sh:maxCount 1 ;
sh:nodeKind sh:Literal ;
sh:path observable:accountLogonType ],
[ sh:datatype xsd:string ;
sh:maxCount 1 ;
sh:nodeKind sh:Literal ;
sh:path observable:accountRunLevel ],
[ sh:datatype xsd:string ;
sh:maxCount 1 ;
sh:nodeKind sh:Literal ;
sh:path observable:imageName ],
[ sh:datatype xsd:string ;
sh:maxCount 1 ;
sh:nodeKind sh:Literal ;
sh:path observable:parameters ],
[ sh:datatype xsd:string ;
sh:maxCount 1 ;
sh:nodeKind sh:Literal ;
sh:path observable:taskComment ],
[ sh:datatype xsd:string ;
sh:maxCount 1 ;
sh:nodeKind sh:Literal ;
sh:path observable:taskCreator ],
[ sh:datatype vocabulary:TaskFlagVocab ;
sh:message "Value is outside the default vocabulary TaskFlagVocab." ;
sh:path observable:flags ;
sh:severity sh:Info ],
[ sh:datatype vocabulary:TaskPriorityVocab ;
sh:message "Value is outside the default vocabulary TaskPriorityVocab." ;
sh:path observable:priority ;
sh:severity sh:Info ],
[ sh:datatype vocabulary:TaskStatusVocab ;
sh:message "Value is outside the default vocabulary TaskStatusVocab." ;
sh:path observable:status ;
sh:severity sh:Info ],
[ sh:maxCount 1 ;
sh:nodeKind sh:Literal ;
sh:or ( [ sh:datatype vocabulary:TaskPriorityVocab ] [ sh:datatype xsd:integer ] [ sh:datatype xsd:string ] ) ;
sh:path observable:priority ],
[ sh:maxCount 1 ;
sh:nodeKind sh:Literal ;
sh:or ( [ sh:datatype vocabulary:TaskStatusVocab ] [ sh:datatype xsd:string ] ) ;
sh:path observable:status ],
[ sh:message "Value is not member of the vocabulary TaskFlagVocab." ;
sh:or ( [ sh:datatype vocabulary:TaskFlagVocab ;
sh:in ( "TASK_FLAG_DELETE_WHEN_DONE"^^vocabulary:TaskFlagVocab "TASK_FLAG_DISABLED"^^vocabulary:TaskFlagVocab "TASK_FLAG_DONT_START_IF_ON_BATTERIES"^^vocabulary:TaskFlagVocab "TASK_FLAG_HIDDEN"^^vocabulary:TaskFlagVocab "TASK_FLAG_INTERACTIVE"^^vocabulary:TaskFlagVocab "TASK_FLAG_KILL_IF_GOING_ON_BATTERIES"^^vocabulary:TaskFlagVocab "TASK_FLAG_KILL_ON_IDLE_END"^^vocabulary:TaskFlagVocab "TASK_FLAG_RESTART_ON_IDLE_RESUME"^^vocabulary:TaskFlagVocab "TASK_FLAG_RUN_IF_CONNECTED_TO_INTERNET"^^vocabulary:TaskFlagVocab "TASK_FLAG_RUN_ONLY_IF_LOGGED_ON"^^vocabulary:TaskFlagVocab "TASK_FLAG_START_ONLY_IF_IDLE"^^vocabulary:TaskFlagVocab "TASK_FLAG_SYSTEM_REQUIRED"^^vocabulary:TaskFlagVocab "TASK_FLAG_ZERO"^^vocabulary:TaskFlagVocab ) ] [ sh:datatype xsd:string ] ) ;
sh:path observable:flags ],
[ sh:message "Value is not member of the vocabulary TaskPriorityVocab." ;
sh:or ( [ sh:datatype vocabulary:TaskPriorityVocab ;
sh:in ( "ABOVE_NORMAL_PRIORITY_CLASS"^^vocabulary:TaskPriorityVocab "BELOW_NORMAL_PRIORITY_CLASS"^^vocabulary:TaskPriorityVocab "HIGH_PRIORITY_CLASS"^^vocabulary:TaskPriorityVocab "IDLE_PRIORITY_CLASS"^^vocabulary:TaskPriorityVocab "NORMAL_PRIORITY_CLASS"^^vocabulary:TaskPriorityVocab "REALTIME_PRIORITY_CLASS"^^vocabulary:TaskPriorityVocab ) ] [ sh:datatype xsd:integer ] [ sh:datatype xsd:string ] ) ;
sh:path observable:priority ],
[ sh:message "Value is not member of the vocabulary TaskStatusVocab." ;
sh:or ( [ sh:datatype vocabulary:TaskStatusVocab ;
sh:in ( "SCHED_E_ACCOUNT_DBASE_CORRUPT"^^vocabulary:TaskStatusVocab "SCHED_E_ACCOUNT_INFORMATION_NOT_SET"^^vocabulary:TaskStatusVocab "SCHED_E_ACCOUNT_NAME_NOT_FOUND"^^vocabulary:TaskStatusVocab "SCHED_E_CANNOT_OPEN_TASK"^^vocabulary:TaskStatusVocab "SCHED_E_INVALID_TASK"^^vocabulary:TaskStatusVocab "SCHED_E_NO_SECURITY_SERVICES"^^vocabulary:TaskStatusVocab "SCHED_E_SERVICE_NOT_INSTALLED"^^vocabulary:TaskStatusVocab "SCHED_E_SERVICE_NOT_RUNNING"^^vocabulary:TaskStatusVocab "SCHED_E_TASK_NOT_READY"^^vocabulary:TaskStatusVocab "SCHED_E_TASK_NOT_RUNNING"^^vocabulary:TaskStatusVocab "SCHED_E_TRIGGER_NOT_FOUND"^^vocabulary:TaskStatusVocab "SCHED_E_UNKNOWN_OBJECT_VERSION"^^vocabulary:TaskStatusVocab "SCHED_E_UNSUPPORTED_ACCOUNT_OPTION"^^vocabulary:TaskStatusVocab "SCHED_S_EVENT_TRIGGER"^^vocabulary:TaskStatusVocab "SCHED_S_TASK_DISABLED"^^vocabulary:TaskStatusVocab "SCHED_S_TASK_HAS_NOT_RUN"^^vocabulary:TaskStatusVocab "SCHED_S_TASK_NOT_SCHEDULED"^^vocabulary:TaskStatusVocab "SCHED_S_TASK_NO_MORE_RUNS"^^vocabulary:TaskStatusVocab "SCHED_S_TASK_NO_VALID_TRIGGERS"^^vocabulary:TaskStatusVocab "SCHED_S_TASK_READY"^^vocabulary:TaskStatusVocab "SCHED_S_TASK_RUNNING"^^vocabulary:TaskStatusVocab "SCHED_S_TASK_TERMINATED"^^vocabulary:TaskStatusVocab "TASK_STATE_QUEUED"^^vocabulary:TaskStatusVocab "TASK_STATE_UNKNOWN"^^vocabulary:TaskStatusVocab ) ] [ sh:datatype xsd:string ] ) ;
sh:path observable:status ],
[ sh:nodeKind sh:Literal ;
sh:or ( [ sh:datatype vocabulary:TaskFlagVocab ] [ sh:datatype xsd:string ] ) ;
sh:path observable:flags ] ;
sh:targetClass observable:WindowsTaskFacet .