diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8998a3e7a..becd4e899 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -56,6 +56,7 @@ Thankyou! -->
7. Added `is_alert` as a `boolean_t`, #1179
8. Added `working_directory` as a `string_t`. #1195
9. Added `is_deleted` a `boolean_t`. #1196
+ 10. Added `is_script_content_truncated` as a `boolean_t`. #1198
* #### Objects
1. Added `environment_variable` object. #1172
@@ -81,6 +82,8 @@ Thankyou! -->
11. Added `http_headers` to `email` object. #1199
12. Added `working_directory` to `process` object. #1195
13. Added `is_deleted` to `file` object. #1196
+ 14. Added `is_script_content_truncated` to `script` object. #1198
+ 15. Added entry for VBA macros to `type_id` enum in `script` object. #1198
### Bugfixes
1. Added sibling definition to `confidence_id` in dictionary, accurately associating `confidence` as its sibling. #1180
diff --git a/dictionary.json b/dictionary.json
index 71c019e77..7ec41bce1 100644
--- a/dictionary.json
+++ b/dictionary.json
@@ -2508,6 +2508,11 @@
"description": "The indication of whether this is a lease/session renewal event.",
"type": "boolean_t"
},
+ "is_script_content_truncated": {
+ "caption": "Is Script Content Truncated",
+ "description": "Indicates if the contents of the script_content attribute have been truncated.",
+ "type": "boolean_t"
+ },
"is_secure": {
"caption": "Secure",
"description": "The cookie attribute indicates that cookies are sent to the server only when the request is encrypted using the HTTPS protocol.",
@@ -4014,7 +4019,7 @@
"script_content": {
"observable": 36,
"caption": "Script Content",
- "description": "The script content, normalized to UTF-8 encoding irrespective of its original encoding.",
+ "description": "The script content, normalized to UTF-8 encoding irrespective of its original encoding. When emitting this attribute, it may be appropriate to truncate large scripts. When consuming this attribute, large scripts should be anticipated.",
"type": "string_t"
},
"section_a": {
diff --git a/objects/script.json b/objects/script.json
index 6050053a1..53b19a7a6 100644
--- a/objects/script.json
+++ b/objects/script.json
@@ -12,8 +12,11 @@
"description": "An array of the script's cryptographic hashes. Note that these hashes are calculated on the script in its original encoding, and not on the normalized UTF-8 encoding found in the script_content attribute.",
"requirement": "recommended"
},
+ "is_script_content_truncated": {
+ "requirement": "optional"
+ },
"parent_uid": {
- "description": "When a script is a dynamically executed sub-script, and when the underlying script engine supports use of the uid attribute, this parent_uid attribute identifies the parent script.",
+ "description": "This attribute relates a sub-script to a parent script having the matching uid attribute. In the case of PowerShell, sub-script execution can be identified by matching the activity correlation ID of the raw ETW events provided by the OS.",
"requirement": "optional"
},
"script_content": {
@@ -49,6 +52,9 @@
"6": {
"caption": "Unix Shell"
},
+ "7": {
+ "caption": "VBA"
+ },
"99": {
"caption": "Other",
"description": "The script type is not mapped. See the type attribute which contains an event source specific value."
@@ -56,7 +62,7 @@
}
},
"uid": {
- "description": "Some script engines assign a unique ID to each individual execution of a given script, e.g. PowerShell's Script Block ID. This uid attribute enables a dynamically executed sub-script to refer to its parent.",
+ "description": "Some script engines assign a unique ID to each individual execution of a given script. This attribute captures that unique ID. In the case of PowerShell, the unique ID corresponds to the ScriptBlockId in the raw ETW events provided by the OS.",
"requirement": "optional"
}
}