Guides

File

Suggest Edits

The File object represents the metadata associated with a file stored in a computer system. It encompasses information about the file itself, including its attributes, properties, and organizational details. Defined by D3FEND d3f:File.

Attributes

CaptionNameTypeDescription
Accessed Time accessed_time Timestamp The time when the file was last accessed.
Accessor accessor String The name of the user who last accessed the object.
Attributes attributes Integer The bitmask value that represents the file attributes.
Company Name company_name String The name of the company that published the file. For example: Microsoft Corporation.
Confidentiality confidentiality String The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source.
Confidentiality ID confidentiality_id Integer The normalized identifier of the file content confidentiality indicator.
  • 0: Unknown (UNKNOWN)
  • 1: Not Confidential (NOT_CONFIDENTIAL)
  • 2: Confidential (CONFIDENTIAL)
  • 3: Secret (SECRET)
  • 4: Top Secret (TOP_SECRET)
  • 5: Private (PRIVATE)
  • 6: Restricted (RESTRICTED)
  • 99: Other (OTHER)
Created Time created_time Timestamp The time when the file was created.
Creator creator String The user that created the file.
Data Classification data_classification Data Classification[] The Data Classification object includes information about data classification levels and data category types.
Description desc String The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.
File Extension ext String The extension of the file, excluding the leading dot. For example: exe from svchost.exe, or gz from export.tar.gz.
Fingerprints fingerprints Fingerprint[] An array of digital fingerprint objects.

🚧 WARNING: DEPRECATED

Fingerprints has been deprecated since 1.1.0. Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0
Hashes hashes Fingerprint[] An array of hash attributes.
System is_system Boolean The indication of whether the object is part of the operating system.
MIME type mime_type String The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable.
Modified Time modified_time Timestamp The time when the file was last modified.
Modifier modifier String The user that last modified the file.
Name name String The name of the file. For example: svchost.exe
Owner owner String The user that owns the file/object.
Parent Folder parent_folder Path Name The parent folder in which the file resides. For example: c:\windows\system32
Path path Path Name The full path to the file. For example: c:\windows\system32\svchost.exe.
Product product Product[] The product that created or installed the file.
Raw Data raw_data JSON The event data as received from the event source.
Record ID record_id String Unique identifier for the object
Security Descriptor security_descriptor String The object security descriptor.
Digital Signature signature Digital Signature[] The digital signature of the file.
Size size Long The size of data, in bytes.
Type type String The file type.
Type ID type_id Integer The file type ID.
  • 0: Unknown (UNKNOWN)
  • 1: Regular File (REGULAR_FILE)
  • 2: Folder (FOLDER)
  • 3: Character Device (CHARACTER_DEVICE)
  • 4: Block Device (BLOCK_DEVICE)
  • 5: Local Socket (LOCAL_SOCKET)
  • 6: Named Pipe (NAMED_PIPE)
  • 7: Symbolic Link (SYMBOLIC_LINK)
  • 99: Other (OTHER)
Unique ID uid String The unique identifier of the file as defined by the storage system, such the file system file ID.
Unmapped Data unmapped Unmapped[] The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.
Version version String The file version. For example: 8.0.7601.17514.
Extended Attributes xattributes JSON An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute.

For example: Windows alternate data stream attributes (ADS stream name, ADS size, etc.), user-defined or application-defined attributes, ACL, owner, primary group, etc. Examples from DCS:

  • ads_name
  • ads_size
  • dacl
  • owner
  • primary_group
  • link_name - name of the link associated to the file.
  • hard_link_count - the number of links that are associated to the file.

Relationships

File shown in context

Inbound Relationships

These objects and events reference File in their attributes:

Outbound Relationships

File references the following objects and events in its attributes:

This page describes qdm-1.3.2+ocsf-1.3.0

Updated 5 months ago