File
File is a searchable entity at the top of Query's UI.
file
The File object represents the metadata associated with a file stored in a computer system. It encompasses information about the file itself, including its attributes, properties, and organizational details. Defined by D3FEND d3f:File.
Contents
Attributes
| Caption | Name | Type | Is Array | Default | Description |
|---|---|---|---|---|---|
| Accessed Time | accessed_time | Timestamp | The time when the file was last accessed. | ||
| Accessor | accessor | String | The name of the user who last accessed the object. | ||
| Attributes | attributes | Integer | The bitmask value that represents the file attributes. | ||
| Company Name | company_name | String |
The name of the company that published the file. For example: Microsoft Corporation.
|
||
| Confidentiality | confidentiality | String | The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. | ||
| Confidentiality ID | confidentiality_id | Integer |
The normalized identifier of the file content confidentiality indicator.
|
||
| Created Time | created_time | Timestamp | The time when the file was created. | ||
| Creator | creator | String | The user that created the file. | ||
| Data Classification | data_classification | Data Classification | The Data Classification object includes information about data classification levels and data category types. | ||
| Description | desc | String | The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type. | ||
| Fingerprints | fingerprints | Fingerprint |
An array of digital fingerprint objects.
Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 |
||
| Hashes | hashes | Fingerprint | An array of hash attributes. | ||
| System | is_system | Boolean | The indication of whether the object is part of the operating system. | ||
| MIME type | mime_type | String | The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. | ||
| Modified Time | modified_time | Timestamp | The time when the file was last modified. | ||
| Modifier | modifier | String | The user that last modified the file. | ||
| Name | name | String |
The name of the file. For example: svchost.exe
|
||
| Owner | owner | String | The user that owns the file/object. | ||
| Parent Folder | parent_folder | Path Name |
The parent folder in which the file resides. For example: c:\windows\system32
|
||
| Path | path | Path Name |
The full path to the file. For example: c:\windows\system32\svchost.exe.
|
||
| Product | product | Product | The product that created or installed the file. | ||
| Raw Data | raw_data | JSON | The event data as received from the event source. | ||
| Record ID | record_id | String | Unique identifier for the object | ||
| Security Descriptor | security_descriptor | String | The object security descriptor. | ||
| Digital Signature | signature | Digital Signature | The digital signature of the file. | ||
| Size | size | Long | The size of data, in bytes. | ||
| Type | type | String | The file type. | ||
| Type ID | type_id | Integer | 0 |
The file type ID.
|
|
| Unique ID | uid | String | The unique identifier of the file as defined by the storage system, such the file system file ID. | ||
| Unmapped Data | unmapped | Unmapped | The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source. | ||
| Version | version | String |
The file version. For example: 8.0.7601.17514.
|
||
| Extended Attributes | xattributes | JSON |
An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute.For example: Windows alternate data stream attributes (ADS stream name, ADS size, etc.), user-defined or application-defined attributes, ACL, owner, primary group, etc. Examples from DCS:
|
Referenced By
- Email Delivery Activity
- RDP Activity
- SMB Activity
- File Hosting Activity
- Email File Activity
- Data Security Finding
- File System Activity
- File System Activity
- FTP Activity
- Network File Activity
- SSH Activity
- HTTP Activity
- Linux Process
- Service
- Module
- Affected Code
- Kernel Extension
- Job
- Databucket
- Evidence Artifacts
Context
JSON
{
"caption": "File",
"observable": 24,
"name": "file",
"description": "The File object represents the metadata associated with a file stored in a computer system. It encompasses information about the file itself, including its attributes, properties, and organizational details. Defined by D3FEND <a target='_blank' href='https://next.d3fend.mitre.org/dao/artifact/d3f:File/'>d3f:File</a>.",
"extends": "_entity",
"profiles": [
"data_classification"
],
"attributes": {
"$include": [
"profiles/data_classification.json"
],
"accessed_time": {
"requirement": "optional",
"caption": "Accessed Time",
"description": "The time when the file was last accessed.",
"type": "timestamp_t"
},
"accessor": {
"requirement": "optional",
"caption": "Accessor",
"description": "The name of the user who last accessed the object.",
"type": "string_t"
},
"attributes": {
"requirement": "optional",
"caption": "Attributes",
"description": "The bitmask value that represents the file attributes.",
"type": "integer_t"
},
"company_name": {
"requirement": "optional",
"caption": "Company Name",
"description": "The name of the company that published the file. For example: <code>Microsoft Corporation</code>.",
"type": "string_t"
},
"confidentiality": {
"requirement": "optional",
"caption": "Confidentiality",
"description": "The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source.",
"type": "string_t"
},
"confidentiality_id": {
"requirement": "optional",
"caption": "Confidentiality ID",
"description": "The normalized identifier of the file content confidentiality indicator.",
"enum": {
"99": {
"caption": "Other",
"description": "The confidentiality is not mapped. See the <code>confidentiality</code> attribute, which contains a data source specific value."
},
"0": {
"caption": "Unknown",
"description": "The confidentiality is unknown."
},
"1": {
"caption": "Not Confidential"
},
"2": {
"caption": "Confidential"
},
"3": {
"caption": "Secret"
},
"4": {
"caption": "Top Secret"
},
"5": {
"caption": "Private"
},
"6": {
"caption": "Restricted"
}
},
"sibling": "confidentiality",
"type": "integer_t"
},
"created_time": {
"description": "The time when the file was created.",
"requirement": "optional",
"caption": "Created Time",
"type": "timestamp_t"
},
"creator": {
"description": "The user that created the file.",
"requirement": "optional",
"caption": "Creator",
"type": "string_t"
},
"desc": {
"description": "The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.",
"requirement": "optional",
"caption": "Description",
"type": "string_t"
},
"hashes": {
"requirement": "recommended",
"caption": "Hashes",
"description": "An array of hash attributes.",
"is_array": true,
"type": "fingerprint"
},
"is_system": {
"requirement": "optional",
"caption": "System",
"description": "The indication of whether the object is part of the operating system.",
"type": "boolean_t"
},
"mime_type": {
"requirement": "optional",
"caption": "MIME type",
"description": "The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable.",
"type": "string_t"
},
"modified_time": {
"description": "The time when the file was last modified.",
"requirement": "optional",
"caption": "Modified Time",
"type": "timestamp_t"
},
"modifier": {
"description": "The user that last modified the file.",
"requirement": "optional",
"caption": "Modifier",
"type": "string_t"
},
"name": {
"description": "The name of the file. For example: <code>svchost.exe</code>",
"requirement": "required",
"type": "string_t",
"caption": "Name",
"name": "file_name_t"
},
"owner": {
"requirement": "optional",
"caption": "Owner",
"description": "The user that owns the file/object.",
"type": "string_t"
},
"parent_folder": {
"requirement": "optional",
"caption": "Parent Folder",
"description": "The parent folder in which the file resides. For example: <code>c:\\windows\\system32</code>",
"type": "path_t"
},
"path": {
"description": "The full path to the file. For example: <code>c:\\windows\\system32\\svchost.exe</code>.",
"requirement": "recommended",
"caption": "Path",
"type": "path_t"
},
"product": {
"description": "The product that created or installed the file.",
"requirement": "optional",
"caption": "Product",
"type": "product"
},
"security_descriptor": {
"requirement": "optional",
"caption": "Security Descriptor",
"description": "The object security descriptor.",
"type": "string_t"
},
"signature": {
"requirement": "optional",
"caption": "Digital Signature",
"description": "The digital signature of the file.",
"type": "digital_signature"
},
"size": {
"requirement": "optional",
"caption": "Size",
"description": "The size of data, in bytes.",
"type": "long_t"
},
"type": {
"description": "The file type.",
"requirement": "optional",
"caption": "Type",
"type": "string_t"
},
"type_id": {
"description": "The file type ID.",
"enum": {
"0": {
"caption": "Unknown",
"description": "The type is unknown."
},
"1": {
"caption": "Regular File"
},
"2": {
"caption": "Folder"
},
"3": {
"caption": "Character Device"
},
"4": {
"caption": "Block Device"
},
"5": {
"caption": "Local Socket"
},
"6": {
"caption": "Named Pipe"
},
"7": {
"caption": "Symbolic Link"
},
"99": {
"caption": "Other",
"description": "The type is not mapped. See the <code>type</code> attribute, which contains a data source specific value."
}
},
"requirement": "required",
"caption": "Type ID",
"sibling": "type",
"type": "integer_t",
"default": 0
},
"uid": {
"description": "The unique identifier of the file as defined by the storage system, such the file system file ID.",
"requirement": "optional",
"caption": "Unique ID",
"type": "string_t"
},
"version": {
"description": "The file version. For example: <code>8.0.7601.17514</code>.",
"requirement": "optional",
"caption": "Version",
"type": "string_t"
},
"xattributes": {
"requirement": "optional",
"caption": "Extended Attributes",
"description": "An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute.</p>For example: Windows alternate data stream attributes (ADS stream name, ADS size, etc.), user-defined or application-defined attributes, ACL, owner, primary group, etc. Examples from DCS: </p><ul><li><strong>ads_name</strong></li><li><strong>ads_size</strong></li><li><strong>dacl</strong></li><li><strong>owner</strong></li><li><strong>primary_group</strong></li><li><strong>link_name</strong> - name of the link associated to the file.</li><li><strong>hard_link_count</strong> - the number of links that are associated to the file.</li></ul>",
"type": "json_t"
},
"data_classification": {
"group": "context",
"requirement": "recommended",
"caption": "Data Classification",
"description": "The Data Classification object includes information about data classification levels and data category types.",
"type": "data_classification"
},
"raw_data": {
"group": "context",
"caption": "Raw Data",
"description": "The event data as received from the event source.",
"type": "json_t"
},
"record_id": {
"description": "Unique identifier for the object",
"group": "primary",
"requirement": "required",
"caption": "Record ID",
"type": "string_t"
},
"unmapped": {
"caption": "Unmapped Data",
"description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.",
"type": "unmapped",
"is_array": true
},
"fingerprints": {
"requirement": "recommended",
"caption": "Fingerprints",
"description": "An array of digital fingerprint objects.",
"is_array": true,
"type": "fingerprint",
"@deprecated": {
"since": "1.1.0",
"message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
}
}
},
"constraints": {
"at_least_one": [
"name",
"uid"
]
}
}