Expand description
A file is defined as a set of information that has been created on, or has existed on a filesystem. File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric.
Constants§
- FILE_
ACCESSED - Last time the file was accessed. Note that not all filesystems keep track of access time.
- FILE_
ATTRIBUTES - Array of file attributes. Attributes names will vary by platform. Here’s a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write.
- FILE_
CODE_ SIGNATURE_ DIGEST_ ALGORITHM - The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
- FILE_
CODE_ SIGNATURE_ EXISTS - Boolean to capture if a signature is present.
- FILE_
CODE_ SIGNATURE_ SIGNING_ ID - The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
- FILE_
CODE_ SIGNATURE_ STATUS - Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
- FILE_
CODE_ SIGNATURE_ SUBJECT_ NAME - Subject name of the code signer
- FILE_
CODE_ SIGNATURE_ TEAM_ ID - The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
- FILE_
CODE_ SIGNATURE_ TIMESTAMP - Date and time when the code signature was generated and signed.
- FILE_
CODE_ SIGNATURE_ TRUSTED - Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
- FILE_
CODE_ SIGNATURE_ VALID - Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.
- FILE_
CREATED - File creation time. Note that not all filesystems store the creation time.
- FILE_
CTIME - Last time the file attributes or metadata changed.
Note that changes to the file content will update
mtime. This impliesctimewill be adjusted at the same time, sincemtimeis an attribute of the file. - FILE_
DEVICE - Device that is the source of the file.
- FILE_
DIRECTORY - Directory where the file is located. It should include the drive letter, when appropriate.
- FILE_
DRIVE_ LETTER - Drive letter where the file is located. This field is only relevant on Windows. The value should be uppercase, and not include the colon.
- FILE_
ELF_ ARCHITECTURE - Machine architecture of the ELF file.
- FILE_
ELF_ BYTE_ ORDER - Byte sequence of ELF file.
- FILE_
ELF_ CPU_ TYPE - CPU type of the ELF file.
- FILE_
ELF_ CREATION_ DATE - Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators.
- FILE_
ELF_ EXPORTS - List of exported element names and types.
- FILE_
ELF_ GO_ IMPORTS - List of imported Go language element names and types.
- FILE_
ELF_ GO_ IMPORTS_ NAMES_ ENTROPY - Shannon entropy calculation from the list of Go imports.
- FILE_
ELF_ GO_ IMPORTS_ NAMES_ VAR_ ENTROPY - Variance for Shannon entropy calculation from the list of Go imports.
- FILE_
ELF_ GO_ IMPORT_ HASH - A hash of the Go language imports in an ELF file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. The algorithm used to calculate the Go symbol hash and a reference implementation are available here.
- FILE_
ELF_ GO_ STRIPPED - Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable.
- FILE_
ELF_ HEADER_ ABI_ VERSION - Version of the ELF Application Binary Interface (ABI).
- FILE_
ELF_ HEADER_ CLASS - Header class of the ELF file.
- FILE_
ELF_ HEADER_ DATA - Data table of the ELF header.
- FILE_
ELF_ HEADER_ ENTRYPOINT - Header entrypoint of the ELF file.
- FILE_
ELF_ HEADER_ OBJECT_ VERSION - “0x1” for original ELF files.
- FILE_
ELF_ HEADER_ OS_ ABI - Application Binary Interface (ABI) of the Linux OS.
- FILE_
ELF_ HEADER_ TYPE - Header type of the ELF file.
- FILE_
ELF_ HEADER_ VERSION - Version of the ELF header.
- FILE_
ELF_ IMPORTS - List of imported element names and types.
- FILE_
ELF_ IMPORTS_ NAMES_ ENTROPY - Shannon entropy calculation from the list of imported element names and types.
- FILE_
ELF_ IMPORTS_ NAMES_ VAR_ ENTROPY - Variance for Shannon entropy calculation from the list of imported element names and types.
- FILE_
ELF_ IMPORT_ HASH - A hash of the imports in an ELF file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. This is an ELF implementation of the Windows PE imphash.
- FILE_
ELF_ SECTIONS - An array containing an object for each section of the ELF file.
The keys that should be present in these objects are defined by sub-fields underneath
elf.sections.*. - FILE_
ELF_ SECTIONS_ CHI2 - Chi-square probability distribution of the section.
- FILE_
ELF_ SECTIONS_ ENTROPY - Shannon entropy calculation from the section.
- FILE_
ELF_ SECTIONS_ FLAGS - ELF Section List flags.
- FILE_
ELF_ SECTIONS_ NAME - ELF Section List name.
- FILE_
ELF_ SECTIONS_ PHYSICAL_ OFFSET - ELF Section List offset.
- FILE_
ELF_ SECTIONS_ PHYSICAL_ SIZE - ELF Section List physical size.
- FILE_
ELF_ SECTIONS_ TYPE - ELF Section List type.
- FILE_
ELF_ SECTIONS_ VAR_ ENTROPY - Variance for Shannon entropy calculation from the section.
- FILE_
ELF_ SECTIONS_ VIRTUAL_ ADDRESS - ELF Section List virtual address.
- FILE_
ELF_ SECTIONS_ VIRTUAL_ SIZE - ELF Section List virtual size.
- FILE_
ELF_ SEGMENTS - An array containing an object for each segment of the ELF file.
The keys that should be present in these objects are defined by sub-fields underneath
elf.segments.*. - FILE_
ELF_ SEGMENTS_ SECTIONS - ELF object segment sections.
- FILE_
ELF_ SEGMENTS_ TYPE - ELF object segment type.
- FILE_
ELF_ SHARED_ LIBRARIES - List of shared libraries used by this ELF object.
- FILE_
ELF_ TELFHASH - telfhash symbol hash for ELF file.
- FILE_
EXTENSION - File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured (“gz”, not “tar.gz”).
- FILE_
FORK_ NAME - A fork is additional data associated with a filesystem object.
On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist.
On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form:
C:\path\to\filename.extension:some_fork_name, andsome_fork_nameis the value that should populatefork_name.filename.extensionshould populatefile.name, andextensionshould populatefile.extension. The full path,file.path, will include the fork name. - FILE_
GID - Primary group ID (GID) of the file.
- FILE_
GROUP - Primary group name of the file.
- FILE_
HASH_ MD5 - MD5 hash.
- FILE_
HASH_ SHA1 - SHA1 hash.
- FILE_
HASH_ SHA256 - SHA256 hash.
- FILE_
HASH_ SHA384 - SHA384 hash.
- FILE_
HASH_ SHA512 - SHA512 hash.
- FILE_
HASH_ SSDEEP - SSDEEP hash.
- FILE_
HASH_ TLSH - TLSH hash.
- FILE_
INODE - Inode representing the file in the filesystem.
- FILE_
MACHO_ GO_ IMPORTS - List of imported Go language element names and types.
- FILE_
MACHO_ GO_ IMPORTS_ NAMES_ ENTROPY - Shannon entropy calculation from the list of Go imports.
- FILE_
MACHO_ GO_ IMPORTS_ NAMES_ VAR_ ENTROPY - Variance for Shannon entropy calculation from the list of Go imports.
- FILE_
MACHO_ GO_ IMPORT_ HASH - A hash of the Go language imports in a Mach-O file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. The algorithm used to calculate the Go symbol hash and a reference implementation are available here.
- FILE_
MACHO_ GO_ STRIPPED - Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable.
- FILE_
MACHO_ IMPORTS - List of imported element names and types.
- FILE_
MACHO_ IMPORTS_ NAMES_ ENTROPY - Shannon entropy calculation from the list of imported element names and types.
- FILE_
MACHO_ IMPORTS_ NAMES_ VAR_ ENTROPY - Variance for Shannon entropy calculation from the list of imported element names and types.
- FILE_
MACHO_ IMPORT_ HASH - A hash of the imports in a Mach-O file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. This is a synonym for symhash.
- FILE_
MACHO_ SECTIONS - An array containing an object for each section of the Mach-O file.
The keys that should be present in these objects are defined by sub-fields underneath
macho.sections.*. - FILE_
MACHO_ SECTIONS_ ENTROPY - Shannon entropy calculation from the section.
- FILE_
MACHO_ SECTIONS_ NAME - Mach-O Section List name.
- FILE_
MACHO_ SECTIONS_ PHYSICAL_ SIZE - Mach-O Section List physical size.
- FILE_
MACHO_ SECTIONS_ VAR_ ENTROPY - Variance for Shannon entropy calculation from the section.
- FILE_
MACHO_ SECTIONS_ VIRTUAL_ SIZE - Mach-O Section List virtual size. This is always the same as
physical_size. - FILE_
MACHO_ SYMHASH - A hash of the imports in a Mach-O file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. This is a Mach-O implementation of the Windows PE imphash
- FILE_
MIME_ TYPE - MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used.
- FILE_
MODE - Mode of the file in octal representation.
- FILE_
MTIME - Last time the file content was modified.
- FILE_
NAME - Name of the file including the extension, without the directory.
- FILE_
OWNER - File owner’s username.
- FILE_
PATH - Full path to the file, including the file name. It should include the drive letter, when appropriate.
- FILE_
PE_ ARCHITECTURE - CPU architecture target for the file.
- FILE_
PE_ COMPANY - Internal company name of the file, provided at compile-time.
- FILE_
PE_ DESCRIPTION - Internal description of the file, provided at compile-time.
- FILE_
PE_ FILE_ VERSION - Internal version of the file, provided at compile-time.
- FILE_
PE_ GO_ IMPORTS - List of imported Go language element names and types.
- FILE_
PE_ GO_ IMPORTS_ NAMES_ ENTROPY - Shannon entropy calculation from the list of Go imports.
- FILE_
PE_ GO_ IMPORTS_ NAMES_ VAR_ ENTROPY - Variance for Shannon entropy calculation from the list of Go imports.
- FILE_
PE_ GO_ IMPORT_ HASH - A hash of the Go language imports in a PE file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. The algorithm used to calculate the Go symbol hash and a reference implementation are available here.
- FILE_
PE_ GO_ STRIPPED - Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable.
- FILE_
PE_ IMPHASH - A hash of the imports in a PE file. An imphash – or import hash – can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.
- FILE_
PE_ IMPORTS - List of imported element names and types.
- FILE_
PE_ IMPORTS_ NAMES_ ENTROPY - Shannon entropy calculation from the list of imported element names and types.
- FILE_
PE_ IMPORTS_ NAMES_ VAR_ ENTROPY - Variance for Shannon entropy calculation from the list of imported element names and types.
- FILE_
PE_ IMPORT_ HASH - A hash of the imports in a PE file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. This is a synonym for imphash.
- FILE_
PE_ ORIGINAL_ FILE_ NAME - Internal name of the file, provided at compile-time.
- FILE_
PE_ PEHASH - A hash of the PE header and data from one or more PE sections. An pehash can be used to cluster files by transforming structural information about a file into a hash value. Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.
- FILE_
PE_ PRODUCT - Internal product name of the file, provided at compile-time.
- FILE_
PE_ SECTIONS - An array containing an object for each section of the PE file.
The keys that should be present in these objects are defined by sub-fields underneath
pe.sections.*. - FILE_
PE_ SECTIONS_ ENTROPY - Shannon entropy calculation from the section.
- FILE_
PE_ SECTIONS_ NAME - PE Section List name.
- FILE_
PE_ SECTIONS_ PHYSICAL_ SIZE - PE Section List physical size.
- FILE_
PE_ SECTIONS_ VAR_ ENTROPY - Variance for Shannon entropy calculation from the section.
- FILE_
PE_ SECTIONS_ VIRTUAL_ SIZE - PE Section List virtual size. This is always the same as
physical_size. - FILE_
SIZE - File size in bytes.
Only relevant when
file.typeis “file”. - FILE_
TARGET_ PATH - Target path for symlinks.
- FILE_
TYPE - File type (file, dir, or symlink).
- FILE_
UID - The user ID (UID) or security identifier (SID) of the file owner.
- FILE_
X509_ ALTERNATIVE_ NAMES - List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
- FILE_
X509_ ISSUER_ COMMON_ NAME - List of common name (CN) of issuing certificate authority.
- FILE_
X509_ ISSUER_ COUNTRY - List of country (C) codes
- FILE_
X509_ ISSUER_ DISTINGUISHED_ NAME - Distinguished name (DN) of issuing certificate authority.
- FILE_
X509_ ISSUER_ LOCALITY - List of locality names (L)
- FILE_
X509_ ISSUER_ ORGANIZATION - List of organizations (O) of issuing certificate authority.
- FILE_
X509_ ISSUER_ ORGANIZATIONAL_ UNIT - List of organizational units (OU) of issuing certificate authority.
- FILE_
X509_ ISSUER_ STATE_ OR_ PROVINCE - List of state or province names (ST, S, or P)
- FILE_
X509_ NOT_ AFTER - Time at which the certificate is no longer considered valid.
- FILE_
X509_ NOT_ BEFORE - Time at which the certificate is first considered valid.
- FILE_
X509_ PUBLIC_ KEY_ ALGORITHM - Algorithm used to generate the public key.
- FILE_
X509_ PUBLIC_ KEY_ CURVE - The curve used by the elliptic curve public key algorithm. This is algorithm specific.
- FILE_
X509_ PUBLIC_ KEY_ EXPONENT - Exponent used to derive the public key. This is algorithm specific.
- FILE_
X509_ PUBLIC_ KEY_ SIZE - The size of the public key space in bits.
- FILE_
X509_ SERIAL_ NUMBER - Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
- FILE_
X509_ SIGNATURE_ ALGORITHM - Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
- FILE_
X509_ SUBJECT_ COMMON_ NAME - List of common names (CN) of subject.
- FILE_
X509_ SUBJECT_ COUNTRY - List of country (C) code
- FILE_
X509_ SUBJECT_ DISTINGUISHED_ NAME - Distinguished name (DN) of the certificate subject entity.
- FILE_
X509_ SUBJECT_ LOCALITY - List of locality names (L)
- FILE_
X509_ SUBJECT_ ORGANIZATION - List of organizations (O) of subject.
- FILE_
X509_ SUBJECT_ ORGANIZATIONAL_ UNIT - List of organizational units (OU) of subject.
- FILE_
X509_ SUBJECT_ STATE_ OR_ PROVINCE - List of state or province names (ST, S, or P)
- FILE_
X509_ VERSION_ NUMBER - Version of x509 format.