File Fields
editFile Fields
editA file is defined as a set of information that has been created on, or has existed on a filesystem.
File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric.
File Field Details
editField | Description | Level |
---|---|---|
Last time the file was accessed. Note that not all filesystems keep track of access time. type: date |
extended |
|
Array of file attributes. Attributes names will vary by platform. Here’s a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. type: keyword Note: this field should contain an array of values. example: |
extended |
|
File creation time. Note that not all filesystems store the creation time. type: date |
extended |
|
Last time the file attributes or metadata changed. Note that changes to the file content will update type: date |
extended |
|
Device that is the source of the file. type: keyword example: |
extended |
|
Directory where the file is located. It should include the drive letter, when appropriate. type: keyword example: |
extended |
|
Drive letter where the file is located. This field is only relevant on Windows. The value should be uppercase, and not include the colon. type: keyword example: |
extended |
|
File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). type: keyword example: |
extended |
|
Primary group ID (GID) of the file. type: keyword example: |
extended |
|
Primary group name of the file. type: keyword example: |
extended |
|
Inode representing the file in the filesystem. type: keyword example: |
extended |
|
MIME type should identify the format of the file or stream of bytes using IANA official types, where possible. When more than one type is applicable, the most specific type should be used. type: keyword |
extended |
|
Mode of the file in octal representation. type: keyword example: |
extended |
|
Last time the file content was modified. type: date |
extended |
|
Name of the file including the extension, without the directory. type: keyword example: |
extended |
|
File owner’s username. type: keyword example: |
extended |
|
Full path to the file, including the file name. It should include the drive letter, when appropriate. type: keyword Multi-fields: * file.path.text (type: text) example: |
extended |
|
File size in bytes. Only relevant when type: long example: |
extended |
|
Target path for symlinks. type: keyword Multi-fields: * file.target_path.text (type: text) |
extended |
|
File type (file, dir, or symlink). type: keyword example: |
extended |
|
The user ID (UID) or security identifier (SID) of the file owner. type: keyword example: |
extended |
Field Reuse
editField sets that can be nested under File
editField Set | Location | Description |
---|---|---|
|
These fields contain information about binary code signatures. |
|
|
Hashes, usually file hashes. |
|
|
These fields contain Windows Portable Executable (PE) metadata. |
|
|
These fields contain x509 certificate metadata. |