File

file

The File object represents the metadata associated with a file stored in a computer system. It encompasses information about the file itself, including its attributes, properties, and organizational details.

Attributes

Caption	Name	Type	Description
Accessed Time	`accessed_time`	Timestamp	The time when the file was last accessed.
Accessor	`accessor`	User[]	Entity:`USER` The name of the user who last accessed the object.
Attributes	`attributes`	Integer	The bitmask value that represents the file attributes.
Company Name	`company_name`	String	The name of the company that published the file. For example: `Microsoft Corporation`.
Confidentiality	`confidentiality`	String	The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source.
Confidentiality ID	`confidentiality_id`	Integer	The normalized identifier of the file content confidentiality indicator. `0`: Unknown (`UNKNOWN`) `1`: Not Confidential (`NOT_CONFIDENTIAL`) `2`: Confidential (`CONFIDENTIAL`) `3`: Secret (`SECRET`) `4`: Top Secret (`TOP_SECRET`) `5`: Private (`PRIVATE`) `6`: Restricted (`RESTRICTED`) `99`: Other (`OTHER`)
Created Time	`created_time`	Timestamp	The time when the file was created.
Creator	`creator`	User[]	Entity:`USER` The user that created the file.
Data Classification	`data_classification`	Data Classification[]	Group:`context` The Data Classification object includes information about data classification levels and data category types. 🚧 WARNING: DEPRECATED Data Classification has been deprecated since 1.4.0. Use the attribute `data_classifications` instead
Data Classification	`data_classifications`	Data Classification[]	Group:`context` A list of Data Classification objects, that include information about data classification levels and data category types, indentified by a classifier.
Description	`desc`	String	The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.
Drive Type	`drive_type`	String	The drive type, normalized to the caption of the `drive_type_id` value. In the case of `Other`, it is defined by the source.
Drive Type ID	`drive_type_id`	Integer	Identifies the type of a disk drive, i.e. fixed, removable, etc. `0`: Unknown (`UNKNOWN`) `1`: Removable (`REMOVABLE`) `2`: Fixed (`FIXED`) `3`: Remote (`REMOTE`) `4`: CD-ROM (`CD_ROM`) `5`: RAM Disk (`RAM_DISK`) `99`: Other (`OTHER`)
Encryption Details	`encryption_details`	Encryption Details[]	The encryption details of the file. Should be populated if the file is encrypted.
File Extension	`ext`	String	The extension of the file, excluding the leading dot. For example: `exe` from `svchost.exe`, or `gz` from `export.tar.gz`.
Hashes	`hashes`	Fingerprint[]	Entity:`FINGERPRINT` An array of hash attributes.
Internal Name	`internal_name`	String	The name of the file as identified within the file itself. This contrasts with the name by which the file is known on disk. Where available, the internal name is widely used by security practitioners and detection content because the on-disk file name is not reliable. On the Windows OS, most PE files contain a VERSIONINFO resource from which the internal name can be obtained. On macOS, binaries can optionally embed a copy of the application's Info.plist file which in turn contains the name of the executable.
Deleted	`is_deleted`	Boolean	Indicates if the file was deleted from the filesystem.
Encrypted	`is_encrypted`	Boolean	Indicates if the file is encrypted.
Public	`is_public`	Boolean	Indicates if the file is publicly accessible. For example in an object's public access in AWS S3
System	`is_system`	Boolean	The indication of whether the object is part of the operating system.
MIME type	`mime_type`	String	The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable.
Modified Time	`modified_time`	Timestamp	The time when the file was last modified.
Modifier	`modifier`	User[]	Entity:`USER` The user that last modified the file.
Name	`name`	File Name	Entity:`FILE_NAME` The name of the file. For example: `svchost.exe`
Owner	`owner`	User[]	Entity:`USER` The user that owns the file/object.
Parent Folder	`parent_folder`	String	The parent folder in which the file resides. For example: `c:\windows\system32`
Path	`path`	String	The full path to the file. For example: `c:\windows\system32\svchost.exe`.
Product	`product`	Product[]	The product that created or installed the file.
Raw Data	`raw_data`	JSON	Group:`context` The event data as received from the event source.
Record ID	`record_id`	String	Group:`primary` Unique identifier for the object
Security Descriptor	`security_descriptor`	String	The object security descriptor.
Digital Signature	`signature`	Digital Signature[]	The digital signature of the file.
Size	`size`	Long	The size of data, in bytes.
Storage Class	`storage_class`	String	The storage class of the file. For example in AWS S3: `STANDARD, STANDARD_IA, GLACIER`.
Tags	`tags`	Key:Value object[]	The list of tags; `{key:value}` pairs associated to the file.
Type	`type`	String	The file type.
Type ID	`type_id`	Integer	The file type ID. `0`: Unknown (`UNKNOWN`) `1`: Regular File (`REGULAR_FILE`) `2`: Folder (`FOLDER`) `3`: Character Device (`CHARACTER_DEVICE`) `4`: Block Device (`BLOCK_DEVICE`) `5`: Local Socket (`LOCAL_SOCKET`) `6`: Named Pipe (`NAMED_PIPE`) `7`: Symbolic Link (`SYMBOLIC_LINK`) `99`: Other (`OTHER`)
Unique ID	`uid`	String	The unique identifier of the file as defined by the storage system, such the file system file ID.
Unmapped	`unmapped`	Unmapped[]	Data from the source that was not mapped into the schema.
URL	`url`	Uniform Resource Locator[]	Entity:`UNIFORM_RESOURCE_LOCATOR` The URL of the file, when applicable.
Version	`version`	String	The file version. For example: `8.0.7601.17514`.
Extended Attributes	`xattributes`	JSON	An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. For example: Windows alternate data stream attributes (ADS stream name, ADS size, etc.), user-defined or application-defined attributes, ACL, owner, primary group, etc. Examples from DCS: ads_name ads_size dacl owner primary_group link_name - name of the link associated to the file. hard_link_count - the number of links that are associated to the file.

Relationships

Inbound Relationships

These objects and events reference File in their attributes:

Outbound Relationships

File references the following objects and events in its attributes:

This page describes ocsf-1.4.0