File

file

The File object represents the metadata associated with a file stored in a computer system. It encompasses information about the file itself, including its attributes, properties, and organizational details.

Attributes

CaptionNameTypeDescription
Accessed Timeaccessed_timeTimestampThe time when the file was last accessed.
AccessoraccessorUser[]Entity:USER

The name of the user who last accessed the object.
AttributesattributesIntegerThe bitmask value that represents the file attributes.
Company Namecompany_nameStringThe name of the company that published the file. For example: Microsoft Corporation.
ConfidentialityconfidentialityStringThe file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source.
Confidentiality IDconfidentiality_idIntegerThe normalized identifier of the file content confidentiality indicator.
  • 0: Unknown (UNKNOWN)
  • 1: Not Confidential (NOT_CONFIDENTIAL)
  • 2: Confidential (CONFIDENTIAL)
  • 3: Secret (SECRET)
  • 4: Top Secret (TOP_SECRET)
  • 5: Private (PRIVATE)
  • 6: Restricted (RESTRICTED)
  • 99: Other (OTHER)
Created Timecreated_timeTimestampThe time when the file was created.
CreatorcreatorUser[]Entity:USER

The user that created the file.
Data Classificationdata_classificationData Classification[]Group:context

The Data Classification object includes information about data classification levels and data category types.

🚧 WARNING: DEPRECATED

Data Classification has been deprecated since 1.4.0. Use the attribute data_classifications instead

Data Classificationdata_classificationsData Classification[]Group:context

A list of Data Classification objects, that include information about data classification levels and data category types, identified by a classifier.
DescriptiondescStringThe description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.
Drive Typedrive_typeStringThe drive type, normalized to the caption of the drive_type_id value. In the case of Other, it is defined by the source.
Drive Type IDdrive_type_idIntegerIdentifies the type of a disk drive, i.e. fixed, removable, etc.
  • 0: Unknown (UNKNOWN)
  • 1: Removable (REMOVABLE)
  • 2: Fixed (FIXED)
  • 3: Remote (REMOTE)
  • 4: CD-ROM (CD_ROM)
  • 5: RAM Disk (RAM_DISK)
  • 99: Other (OTHER)
Encryption Detailsencryption_detailsEncryption Details[]The encryption details of the file. Should be populated if the file is encrypted.
File ExtensionextStringThe extension of the file, excluding the leading dot. For example: exe from svchost.exe, or gz from export.tar.gz.
HasheshashesFingerprint[]Entity:FINGERPRINT

An array of hash attributes.
Internal Nameinternal_nameStringThe name of the file as identified within the file itself. This contrasts with the name by which the file is known on disk. Where available, the internal name is widely used by security practitioners and detection content because the on-disk file name is not reliable. On the Windows OS, most PE files contain a VERSIONINFO resource from which the internal name can be obtained. On macOS, binaries can optionally embed a copy of the application's Info.plist file which in turn contains the name of the executable.
Deletedis_deletedBooleanIndicates if the file was deleted from the filesystem.
Encryptedis_encryptedBooleanIndicates if the file is encrypted.
Publicis_publicBooleanIndicates if the file is publicly accessible. For example in an object's public access in AWS S3
Read-Onlyis_readonlyBooleanIndicates that the file cannot be modified.
Systemis_systemBooleanThe indication of whether the object is part of the operating system.
MIME typemime_typeStringThe Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable.
Modified Timemodified_timeTimestampThe time when the file was last modified.
ModifiermodifierUser[]Entity:USER

The user that last modified the file.
NamenameFile NameEntity:FILE_NAME

The name of the file. For example: svchost.exe
OwnerownerUser[]Entity:USER

The user that owns the file/object.
Parent Folderparent_folderStringThe parent folder in which the file resides. For example: c:\windows\system32
PathpathFile PathEntity:FILE_PATH

The full path to the file. For example: c:\windows\system32\svchost.exe.
ProductproductProduct[]The product that created or installed the file.
Raw Dataraw_dataJSONGroup:context

The event data as received from the event source.
Record IDrecord_idStringGroup:primary

Unique identifier for the object
Security Descriptorsecurity_descriptorStringThe object security descriptor.
Digital SignaturesignatureDigital Signature[]The digital signature of the file.
SizesizeLongThe size of data, in bytes.
Storage Classstorage_classStringThe storage class of the file. For example in AWS S3: STANDARD, STANDARD_IA, GLACIER.
TagstagsKey:Value object[]The list of tags; key:value pairs associated to the file.
TypetypeStringThe file type.
Type IDtype_idIntegerThe file type ID. Note the distinction between a Regular File and an Executable File. If the distinction is not known, or not indicated by the log, use Regular File. In this case, it should not be assumed that a Regular File is not executable.
  • 0: Unknown (UNKNOWN)
  • 1: Regular File (REGULAR_FILE)
  • 2: Folder (FOLDER)
  • 3: Character Device (CHARACTER_DEVICE)
  • 4: Block Device (BLOCK_DEVICE)
  • 5: Local Socket (LOCAL_SOCKET)
  • 6: Named Pipe (NAMED_PIPE)
  • 7: Symbolic Link (SYMBOLIC_LINK)
  • 8: Executable File (EXECUTABLE_FILE)
  • 99: Other (OTHER)
Unique IDuidStringThe unique identifier of the file as defined by the storage system, such the file system file ID.
UnmappedunmappedUnmapped[]Data from the source that was not mapped into the schema.
File URIuriURL StringEntity:URL_STRING

The file URI, such as those reporting by static analysis tools. E.g., file:///C:/dev/sarif/sarif-tutorials/samples/Introduction/simple-example.js
URLurlUniform Resource Locator[]Entity:UNIFORM_RESOURCE_LOCATOR

The URL of the file, when applicable.
VersionversionStringThe file version. For example: 8.0.7601.17514.
VolumevolumeStringThe volume on the storage device where the file is located.
Extended AttributesxattributesJSONAn unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute.For example: Windows alternate data stream attributes (ADS stream name, ADS size, etc.), user-defined or application-defined attributes, ACL, owner, primary group, etc. Examples from DCS: ads_nameads_sizedaclownerprimary_grouplink_name - name of the link associated to the file.hard_link_count - the number of links that are associated to the file.

Relationships

File shown in context

Inbound Relationships

These objects and events reference File in their attributes:

Outbound Relationships

File references the following objects and events in its attributes:

This page describes qdm-1.5.1+ocsf-1.6.0