file

The File object represents the metadata associated with a file stored in a computer system. It encompasses information about the file itself, including its attributes, properties, and organizational details.

Attributes

CaptionNameTypeDescription
Accessed Time accessed_time Timestamp The time when the file was last accessed.
Accessor accessor User[] Entity:USER
The name of the user who last accessed the object.
Attributes attributes Integer The bitmask value that represents the file attributes.
Company Name company_name String The name of the company that published the file. For example: Microsoft Corporation.
Confidentiality confidentiality String The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source.
Confidentiality ID confidentiality_id Integer The normalized identifier of the file content confidentiality indicator.
  • 0: Unknown (UNKNOWN)
  • 1: Not Confidential (NOT_CONFIDENTIAL)
  • 2: Confidential (CONFIDENTIAL)
  • 3: Secret (SECRET)
  • 4: Top Secret (TOP_SECRET)
  • 5: Private (PRIVATE)
  • 6: Restricted (RESTRICTED)
  • 99: Other (OTHER)
Created Time created_time Timestamp The time when the file was created.
Creator creator User[] Entity:USER
The user that created the file.
Data Classification data_classification Data Classification[] Group:context
The Data Classification object includes information about data classification levels and data category types.

🚧 WARNING: DEPRECATED

Data Classification has been deprecated since 1.4.0. Use the attribute data_classifications instead

Data Classification data_classifications Data Classification[] Group:context
A list of Data Classification objects, that include information about data classification levels and data category types, indentified by a classifier.
Description desc String The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.
Drive Type drive_type String The drive type, normalized to the caption of the drive_type_id value. In the case of Other, it is defined by the source.
Drive Type ID drive_type_id Integer Identifies the type of a disk drive, i.e. fixed, removable, etc.
  • 0: Unknown (UNKNOWN)
  • 1: Removable (REMOVABLE)
  • 2: Fixed (FIXED)
  • 3: Remote (REMOTE)
  • 4: CD-ROM (CD_ROM)
  • 5: RAM Disk (RAM_DISK)
  • 99: Other (OTHER)
Encryption Details encryption_details Encryption Details[] The encryption details of the file. Should be populated if the file is encrypted.
File Extension ext String The extension of the file, excluding the leading dot. For example: exe from svchost.exe, or gz from export.tar.gz.
Hashes hashes Fingerprint[] Entity:FINGERPRINT
An array of hash attributes.
Internal Name internal_name String The name of the file as identified within the file itself. This contrasts with the name by which the file is known on disk. Where available, the internal name is widely used by security practitioners and detection content because the on-disk file name is not reliable. On the Windows OS, most PE files contain a VERSIONINFO resource from which the internal name can be obtained. On macOS, binaries can optionally embed a copy of the application's Info.plist file which in turn contains the name of the executable.
Deleted is_deleted Boolean Indicates if the file was deleted from the filesystem.
Encrypted is_encrypted Boolean Indicates if the file is encrypted.
Public is_public Boolean Indicates if the file is publicly accessible. For example in an object's public access in AWS S3
System is_system Boolean The indication of whether the object is part of the operating system.
MIME type mime_type String The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable.
Modified Time modified_time Timestamp The time when the file was last modified.
Modifier modifier User[] Entity:USER
The user that last modified the file.
Name name File Name Entity:FILE_NAME
The name of the file. For example: svchost.exe
Owner owner User[] Entity:USER
The user that owns the file/object.
Parent Folder parent_folder String The parent folder in which the file resides. For example: c:\windows\system32
Path path String The full path to the file. For example: c:\windows\system32\svchost.exe.
Product product Product[] The product that created or installed the file.
Raw Data raw_data JSON Group:context
The event data as received from the event source.
Record ID record_id String Group:primary
Unique identifier for the object
Security Descriptor security_descriptor String The object security descriptor.
Digital Signature signature Digital Signature[] The digital signature of the file.
Size size Long The size of data, in bytes.
Storage Class storage_class String The storage class of the file. For example in AWS S3: STANDARD, STANDARD_IA, GLACIER.
Tags tags Key:Value object[] The list of tags; {key:value} pairs associated to the file.
Type type String The file type.
Type ID type_id Integer The file type ID.
  • 0: Unknown (UNKNOWN)
  • 1: Regular File (REGULAR_FILE)
  • 2: Folder (FOLDER)
  • 3: Character Device (CHARACTER_DEVICE)
  • 4: Block Device (BLOCK_DEVICE)
  • 5: Local Socket (LOCAL_SOCKET)
  • 6: Named Pipe (NAMED_PIPE)
  • 7: Symbolic Link (SYMBOLIC_LINK)
  • 99: Other (OTHER)
Unique ID uid String The unique identifier of the file as defined by the storage system, such the file system file ID.
Unmapped unmapped Unmapped[] Data from the source that was not mapped into the schema.
URL url Uniform Resource Locator[] Entity:UNIFORM_RESOURCE_LOCATOR
The URL of the file, when applicable.
Version version String The file version. For example: 8.0.7601.17514.
Extended Attributes xattributes JSON An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute.

For example: Windows alternate data stream attributes (ADS stream name, ADS size, etc.), user-defined or application-defined attributes, ACL, owner, primary group, etc. Examples from DCS:

  • ads_name
  • ads_size
  • dacl
  • owner
  • primary_group
  • link_name - name of the link associated to the file.
  • hard_link_count - the number of links that are associated to the file.

Relationships

File shown in context

Inbound Relationships

These objects and events reference File in their attributes:

Outbound Relationships

File references the following objects and events in its attributes:

This page describes ocsf-1.4.0