File
The File object represents the metadata associated with a file stored in a computer system. It encompasses information about the file itself, including its attributes, properties, and organizational details. Defined by D3FEND d3f:File.
Attributes
Caption | Name | Type | Description |
---|---|---|---|
Accessed Time | accessed_time |
Timestamp | The time when the file was last accessed. |
Accessor | accessor |
String | The name of the user who last accessed the object. |
Attributes | attributes |
Integer | The bitmask value that represents the file attributes. |
Company Name | company_name |
String |
The name of the company that published the file. For example: Microsoft Corporation .
|
Confidentiality | confidentiality |
String | The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. |
Confidentiality ID | confidentiality_id |
Integer |
The normalized identifier of the file content confidentiality indicator.
|
Created Time | created_time |
Timestamp | The time when the file was created. |
Creator | creator |
String | The user that created the file. |
Data Classification | data_classification |
Data Classification[] | The Data Classification object includes information about data classification levels and data category types. |
Description | desc |
String | The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type. |
File Extension | ext |
String |
The extension of the file, excluding the leading dot. For example: exe from svchost.exe , or gz from export.tar.gz .
|
Fingerprints | fingerprints |
Fingerprint[] |
An array of digital fingerprint objects.
|
Hashes | hashes |
Fingerprint[] | An array of hash attributes. |
System | is_system |
Boolean | The indication of whether the object is part of the operating system. |
MIME type | mime_type |
String | The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. |
Modified Time | modified_time |
Timestamp | The time when the file was last modified. |
Modifier | modifier |
String | The user that last modified the file. |
Name | name |
String |
The name of the file. For example: svchost.exe
|
Owner | owner |
String | The user that owns the file/object. |
Parent Folder | parent_folder |
Path Name |
The parent folder in which the file resides. For example: c:\windows\system32
|
Path | path |
Path Name |
The full path to the file. For example: c:\windows\system32\svchost.exe .
|
Product | product |
Product[] | The product that created or installed the file. |
Raw Data | raw_data |
JSON | The event data as received from the event source. |
Record ID | record_id |
String | Unique identifier for the object |
Security Descriptor | security_descriptor |
String | The object security descriptor. |
Digital Signature | signature |
Digital Signature[] | The digital signature of the file. |
Size | size |
Long | The size of data, in bytes. |
Type | type |
String | The file type. |
Type ID | type_id |
Integer |
The file type ID.
|
Unique ID | uid |
String | The unique identifier of the file as defined by the storage system, such the file system file ID. |
Unmapped Data | unmapped |
Unmapped[] | The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source. |
Version | version |
String |
The file version. For example: 8.0.7601.17514 .
|
Extended Attributes | xattributes |
JSON |
An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute.For example: Windows alternate data stream attributes (ADS stream name, ADS size, etc.), user-defined or application-defined attributes, ACL, owner, primary group, etc. Examples from DCS:
|
Relationships
Inbound Relationships
These objects and events reference File in their attributes:
- Kernel Extension
- Network File Activity
- Module
- RDP Activity
- SMB Activity
- File System Activity
- Affected Code
- Email Delivery Activity
- Windows Evidence Artifacts
- File Remediation Activity
- Email File Activity
- HTTP Activity
- File Query
- File Hosting Activity
- Windows Service
- SSH Activity
- Linux Process
- Event Log Activity
- Folder Query
- Data Security Finding
- FTP Activity
- Databucket
- Job
- Service
Outbound Relationships
File references the following objects and events in its attributes:
This page describes qdm-1.3.2+ocsf-1.3.0
Updated about 2 months ago