File

The time when the file was last accessed.

Entity:USER
The name of the user who last accessed the object.

The bitmask value that represents the file attributes.

The name of the company that published the file. For example: Microsoft Corporation.

The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source.

The normalized identifier of the file content confidentiality indicator.

• 0: Unknown (UNKNOWN)
• 1: Not Confidential (NOT_CONFIDENTIAL)
• 2: Confidential (CONFIDENTIAL)
• 3: Secret (SECRET)
• 4: Top Secret (TOP_SECRET)
• 5: Private (PRIVATE)
• 6: Restricted (RESTRICTED)
• 99: Other (OTHER)

The time when the file was created.

Entity:USER
The user that created the file.

Group:context
The Data Classification object includes information about data classification levels and data category types.

🚧 WARNING: DEPRECATED

Data Classification has been deprecated since 1.4.0. Use the attribute data_classifications instead

Group:context
A list of Data Classification objects, that include information about data classification levels and data category types, identified by a classifier.

The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.

The drive type, normalized to the caption of the drive_type_id value. In the case of Other, it is defined by the source.

Identifies the type of a disk drive, i.e. fixed, removable, etc.

• 0: Unknown (UNKNOWN)
• 1: Removable (REMOVABLE)
• 2: Fixed (FIXED)
• 3: Remote (REMOTE)
• 4: CD-ROM (CD_ROM)
• 5: RAM Disk (RAM_DISK)
• 99: Other (OTHER)

The encryption details of the file. Should be populated if the file is encrypted.

The extension of the file, excluding the leading dot. For example: exe from svchost.exe, or gz from export.tar.gz.

Entity:FINGERPRINT
An array of hash attributes.

The name of the file as identified within the file itself. This contrasts with the name by which the file is known on disk. Where available, the internal name is widely used by security practitioners and detection content because the on-disk file name is not reliable. On the Windows OS, most PE files contain a VERSIONINFO resource from which the internal name can be obtained. On macOS, binaries can optionally embed a copy of the application's Info.plist file which in turn contains the name of the executable.

Indicates if the file was deleted from the filesystem.

Indicates if the file is encrypted.

Indicates if the file is publicly accessible. For example in an object's public access in AWS S3

Indicates that the file cannot be modified.

The indication of whether the object is part of the operating system.

The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable.

The time when the file was last modified.

Entity:USER
The user that last modified the file.

Entity:FILE_NAME
The name of the file. For example: svchost.exe

Entity:USER
The user that owns the file/object.

The parent folder in which the file resides. For example: c:\windows\system32

Entity:FILE_PATH
The full path to the file. For example: c:\windows\system32\svchost.exe.

The product that created or installed the file.

Group:context
The event data as received from the event source.

Group:primary
Unique identifier for the object

The object security descriptor.

The digital signature of the file.

The size of data, in bytes.

The storage class of the file. For example in AWS S3: STANDARD, STANDARD_IA, GLACIER.

The list of tags; key:value pairs associated to the file.

The file type.

The file type ID. Note the distinction between a Regular File and an Executable File. If the distinction is not known, or not indicated by the log, use Regular File. In this case, it should not be assumed that a Regular File is not executable.

• 0: Unknown (UNKNOWN)
• 1: Regular File (REGULAR_FILE)
• 2: Folder (FOLDER)
• 3: Character Device (CHARACTER_DEVICE)
• 4: Block Device (BLOCK_DEVICE)
• 5: Local Socket (LOCAL_SOCKET)
• 6: Named Pipe (NAMED_PIPE)
• 7: Symbolic Link (SYMBOLIC_LINK)
• 8: Executable File (EXECUTABLE_FILE)
• 99: Other (OTHER)

The unique identifier of the file as defined by the storage system, such the file system file ID.

Data from the source that was not mapped into the schema.

Entity:URL_STRING
The file URI, such as those reporting by static analysis tools. E.g., file:///C:/dev/sarif/sarif-tutorials/samples/Introduction/simple-example.js

Entity:UNIFORM_RESOURCE_LOCATOR
The URL of the file, when applicable.

The file version. For example: 8.0.7601.17514.

The volume on the storage device where the file is located.

An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute.For example: Windows alternate data stream attributes (ADS stream name, ADS size, etc.), user-defined or application-defined attributes, ACL, owner, primary group, etc. Examples from DCS: ads_nameads_sizedaclownerprimary_grouplink_name - name of the link associated to the file.hard_link_count - the number of links that are associated to the file.