File
file
The File object represents the metadata associated with a file stored in a computer system. It encompasses information about the file itself, including its attributes, properties, and organizational details.
Attributes
Caption | Name | Type | Description |
---|---|---|---|
Accessed Time | accessed_time |
Timestamp | The time when the file was last accessed. |
Accessor | accessor |
User[] |
Entity:USER The name of the user who last accessed the object. |
Attributes | attributes |
Integer | The bitmask value that represents the file attributes. |
Company Name | company_name |
String |
The name of the company that published the file. For example: Microsoft Corporation .
|
Confidentiality | confidentiality |
String | The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. |
Confidentiality ID | confidentiality_id |
Integer |
The normalized identifier of the file content confidentiality indicator.
|
Created Time | created_time |
Timestamp | The time when the file was created. |
Creator | creator |
User[] |
Entity:USER The user that created the file. |
Data Classification | data_classification |
Data Classification[] |
Group:context The Data Classification object includes information about data classification levels and data category types.
|
Data Classification | data_classifications |
Data Classification[] |
Group:context A list of Data Classification objects, that include information about data classification levels and data category types, indentified by a classifier. |
Description | desc |
String | The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type. |
Drive Type | drive_type |
String |
The drive type, normalized to the caption of the drive_type_id value. In the case of Other , it is defined by the source.
|
Drive Type ID | drive_type_id |
Integer |
Identifies the type of a disk drive, i.e. fixed, removable, etc.
|
Encryption Details | encryption_details |
Encryption Details[] | The encryption details of the file. Should be populated if the file is encrypted. |
File Extension | ext |
String |
The extension of the file, excluding the leading dot. For example: exe from svchost.exe , or gz from export.tar.gz .
|
Hashes | hashes |
Fingerprint[] |
Entity:FINGERPRINT An array of hash attributes. |
Internal Name | internal_name |
String | The name of the file as identified within the file itself. This contrasts with the name by which the file is known on disk. Where available, the internal name is widely used by security practitioners and detection content because the on-disk file name is not reliable. On the Windows OS, most PE files contain a VERSIONINFO resource from which the internal name can be obtained. On macOS, binaries can optionally embed a copy of the application's Info.plist file which in turn contains the name of the executable. |
Deleted | is_deleted |
Boolean | Indicates if the file was deleted from the filesystem. |
Encrypted | is_encrypted |
Boolean | Indicates if the file is encrypted. |
Public | is_public |
Boolean | Indicates if the file is publicly accessible. For example in an object's public access in AWS S3 |
System | is_system |
Boolean | The indication of whether the object is part of the operating system. |
MIME type | mime_type |
String | The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. |
Modified Time | modified_time |
Timestamp | The time when the file was last modified. |
Modifier | modifier |
User[] |
Entity:USER The user that last modified the file. |
Name | name |
File Name |
Entity:FILE_NAME The name of the file. For example: svchost.exe
|
Owner | owner |
User[] |
Entity:USER The user that owns the file/object. |
Parent Folder | parent_folder |
String |
The parent folder in which the file resides. For example: c:\windows\system32
|
Path | path |
String |
The full path to the file. For example: c:\windows\system32\svchost.exe .
|
Product | product |
Product[] | The product that created or installed the file. |
Raw Data | raw_data |
JSON |
Group:context The event data as received from the event source. |
Record ID | record_id |
String |
Group:primary Unique identifier for the object |
Security Descriptor | security_descriptor |
String | The object security descriptor. |
Digital Signature | signature |
Digital Signature[] | The digital signature of the file. |
Size | size |
Long | The size of data, in bytes. |
Storage Class | storage_class |
String |
The storage class of the file. For example in AWS S3: STANDARD, STANDARD_IA, GLACIER .
|
Tags | tags |
Key:Value object[] |
The list of tags; {key:value} pairs associated to the file.
|
Type | type |
String | The file type. |
Type ID | type_id |
Integer |
The file type ID.
|
Unique ID | uid |
String | The unique identifier of the file as defined by the storage system, such the file system file ID. |
Unmapped | unmapped |
Unmapped[] | Data from the source that was not mapped into the schema. |
URL | url |
Uniform Resource Locator[] |
Entity:UNIFORM_RESOURCE_LOCATOR The URL of the file, when applicable. |
Version | version |
String |
The file version. For example: 8.0.7601.17514 .
|
Extended Attributes | xattributes |
JSON |
An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute.For example: Windows alternate data stream attributes (ADS stream name, ADS size, etc.), user-defined or application-defined attributes, ACL, owner, primary group, etc. Examples from DCS:
|
Relationships
Inbound Relationships
These objects and events reference File in their attributes:
- File Query
- RDP Activity
- File Remediation Activity
- Evidence Artifacts
- HTTP Activity
- OSINT
- FTP Activity
- Linux Process
- Data Security Finding
- File Hosting Activity
- Folder Query
- Module
- Script
- Job
- SMB Activity
- Kernel Extension
- Email File Activity
- SSH Activity
- Databucket
- Affected Code
- Network File Activity
- File System Activity
- Event Log Activity
Outbound Relationships
File references the following objects and events in its attributes:
- Fingerprint
- Encryption Details
- Unmapped
- Data Classification
- Product
- Uniform Resource Locator
- Digital Signature
- User
- Key:Value object
This page describes ocsf-1.4.0
Updated 3 days ago