File

file

The File object represents the metadata associated with a file stored in a computer system. It encompasses information about the file itself, including its attributes, properties, and organizational details. Defined by D3FEND d3f:File.

Contents

Attributes

Caption Name Type Is Array Default Description
Accessed Time accessed_time Timestamp The time when the file was last accessed.
Accessor accessor String The name of the user who last accessed the object.
Attributes attributes Integer The bitmask value that represents the file attributes.
Company Name company_name String The name of the company that published the file. For example: Microsoft Corporation.
Confidentiality confidentiality String The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source.
Confidentiality ID confidentiality_id Integer The normalized identifier of the file content confidentiality indicator.
0
Unknown
1
Not Confidential
2
Confidential
3
Secret
4
Top Secret
5
Private
6
Restricted
99
Other
Created Time created_time Timestamp The time when the file was created.
Creator creator String The user that created the file.
Data Classification data_classification Data Classification The Data Classification object includes information about data classification levels and data category types.
Description desc String The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.
Fingerprints fingerprints Fingerprint An array of digital fingerprint objects.

Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0

Hashes hashes Fingerprint An array of hash attributes.
System is_system Boolean The indication of whether the object is part of the operating system.
MIME type mime_type String The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable.
Modified Time modified_time Timestamp The time when the file was last modified.
Modifier modifier String The user that last modified the file.
Name name String The name of the file. For example: svchost.exe
Owner owner String The user that owns the file/object.
Parent Folder parent_folder Path Name The parent folder in which the file resides. For example: c:\windows\system32
Path path Path Name The full path to the file. For example: c:\windows\system32\svchost.exe.
Product product Product The product that created or installed the file.
Raw Data raw_data JSON The event data as received from the event source.
Record ID record_id String Unique identifier for the object
Security Descriptor security_descriptor String The object security descriptor.
Digital Signature signature Digital Signature The digital signature of the file.
Size size Long The size of data, in bytes.
Type type String The file type.
Type ID type_id Integer 0 The file type ID.
0
Unknown
1
Regular File
2
Folder
3
Character Device
4
Block Device
5
Local Socket
6
Named Pipe
7
Symbolic Link
99
Other
Unique ID uid String The unique identifier of the file as defined by the storage system, such the file system file ID.
Unmapped Data unmapped Unmapped The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.
Version version String The file version. For example: 8.0.7601.17514.
Extended Attributes xattributes JSON An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute.

For example: Windows alternate data stream attributes (ADS stream name, ADS size, etc.), user-defined or application-defined attributes, ACL, owner, primary group, etc. Examples from DCS:

  • ads_name
  • ads_size
  • dacl
  • owner
  • primary_group
  • link_name - name of the link associated to the file.
  • hard_link_count - the number of links that are associated to the file.

Context

File

JSON

            
{
  "caption": "File",
  "observable": 24,
  "name": "file",
  "description": "The File object represents the metadata associated with a file stored in a computer system. It encompasses information about the file itself, including its attributes, properties, and organizational details. Defined by D3FEND <a target='_blank' href='https://next.d3fend.mitre.org/dao/artifact/d3f:File/'>d3f:File</a>.",
  "extends": "_entity",
  "profiles": [
    "data_classification"
  ],
  "attributes": {
    "$include": [
      "profiles/data_classification.json"
    ],
    "accessed_time": {
      "requirement": "optional",
      "caption": "Accessed Time",
      "description": "The time when the file was last accessed.",
      "type": "timestamp_t"
    },
    "accessor": {
      "requirement": "optional",
      "caption": "Accessor",
      "description": "The name of the user who last accessed the object.",
      "type": "string_t"
    },
    "attributes": {
      "requirement": "optional",
      "caption": "Attributes",
      "description": "The bitmask value that represents the file attributes.",
      "type": "integer_t"
    },
    "company_name": {
      "requirement": "optional",
      "caption": "Company Name",
      "description": "The name of the company that published the file. For example: <code>Microsoft Corporation</code>.",
      "type": "string_t"
    },
    "confidentiality": {
      "requirement": "optional",
      "caption": "Confidentiality",
      "description": "The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source.",
      "type": "string_t"
    },
    "confidentiality_id": {
      "requirement": "optional",
      "caption": "Confidentiality ID",
      "description": "The normalized identifier of the file content confidentiality indicator.",
      "enum": {
        "99": {
          "caption": "Other",
          "description": "The confidentiality is not mapped. See the <code>confidentiality</code> attribute, which contains a data source specific value."
        },
        "0": {
          "caption": "Unknown",
          "description": "The confidentiality is unknown."
        },
        "1": {
          "caption": "Not Confidential"
        },
        "2": {
          "caption": "Confidential"
        },
        "3": {
          "caption": "Secret"
        },
        "4": {
          "caption": "Top Secret"
        },
        "5": {
          "caption": "Private"
        },
        "6": {
          "caption": "Restricted"
        }
      },
      "sibling": "confidentiality",
      "type": "integer_t"
    },
    "created_time": {
      "description": "The time when the file was created.",
      "requirement": "optional",
      "caption": "Created Time",
      "type": "timestamp_t"
    },
    "creator": {
      "description": "The user that created the file.",
      "requirement": "optional",
      "caption": "Creator",
      "type": "string_t"
    },
    "desc": {
      "description": "The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.",
      "requirement": "optional",
      "caption": "Description",
      "type": "string_t"
    },
    "hashes": {
      "requirement": "recommended",
      "caption": "Hashes",
      "description": "An array of hash attributes.",
      "is_array": true,
      "type": "fingerprint"
    },
    "is_system": {
      "requirement": "optional",
      "caption": "System",
      "description": "The indication of whether the object is part of the operating system.",
      "type": "boolean_t"
    },
    "mime_type": {
      "requirement": "optional",
      "caption": "MIME type",
      "description": "The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable.",
      "type": "string_t"
    },
    "modified_time": {
      "description": "The time when the file was last modified.",
      "requirement": "optional",
      "caption": "Modified Time",
      "type": "timestamp_t"
    },
    "modifier": {
      "description": "The user that last modified the file.",
      "requirement": "optional",
      "caption": "Modifier",
      "type": "string_t"
    },
    "name": {
      "description": "The name of the file. For example: <code>svchost.exe</code>",
      "requirement": "required",
      "type": "string_t",
      "caption": "Name",
      "name": "file_name_t"
    },
    "owner": {
      "requirement": "optional",
      "caption": "Owner",
      "description": "The user that owns the file/object.",
      "type": "string_t"
    },
    "parent_folder": {
      "requirement": "optional",
      "caption": "Parent Folder",
      "description": "The parent folder in which the file resides. For example: <code>c:\\windows\\system32</code>",
      "type": "path_t"
    },
    "path": {
      "description": "The full path to the file. For example: <code>c:\\windows\\system32\\svchost.exe</code>.",
      "requirement": "recommended",
      "caption": "Path",
      "type": "path_t"
    },
    "product": {
      "description": "The product that created or installed the file.",
      "requirement": "optional",
      "caption": "Product",
      "type": "product"
    },
    "security_descriptor": {
      "requirement": "optional",
      "caption": "Security Descriptor",
      "description": "The object security descriptor.",
      "type": "string_t"
    },
    "signature": {
      "requirement": "optional",
      "caption": "Digital Signature",
      "description": "The digital signature of the file.",
      "type": "digital_signature"
    },
    "size": {
      "requirement": "optional",
      "caption": "Size",
      "description": "The size of data, in bytes.",
      "type": "long_t"
    },
    "type": {
      "description": "The file type.",
      "requirement": "optional",
      "caption": "Type",
      "type": "string_t"
    },
    "type_id": {
      "description": "The file type ID.",
      "enum": {
        "0": {
          "caption": "Unknown",
          "description": "The type is unknown."
        },
        "1": {
          "caption": "Regular File"
        },
        "2": {
          "caption": "Folder"
        },
        "3": {
          "caption": "Character Device"
        },
        "4": {
          "caption": "Block Device"
        },
        "5": {
          "caption": "Local Socket"
        },
        "6": {
          "caption": "Named Pipe"
        },
        "7": {
          "caption": "Symbolic Link"
        },
        "99": {
          "caption": "Other",
          "description": "The type is not mapped. See the <code>type</code> attribute, which contains a data source specific value."
        }
      },
      "requirement": "required",
      "caption": "Type ID",
      "sibling": "type",
      "type": "integer_t",
      "default": 0
    },
    "uid": {
      "description": "The unique identifier of the file as defined by the storage system, such the file system file ID.",
      "requirement": "optional",
      "caption": "Unique ID",
      "type": "string_t"
    },
    "version": {
      "description": "The file version. For example: <code>8.0.7601.17514</code>.",
      "requirement": "optional",
      "caption": "Version",
      "type": "string_t"
    },
    "xattributes": {
      "requirement": "optional",
      "caption": "Extended Attributes",
      "description": "An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute.</p>For example: Windows alternate data stream attributes (ADS stream name, ADS size, etc.), user-defined or application-defined attributes, ACL, owner, primary group, etc. Examples from DCS: </p><ul><li><strong>ads_name</strong></li><li><strong>ads_size</strong></li><li><strong>dacl</strong></li><li><strong>owner</strong></li><li><strong>primary_group</strong></li><li><strong>link_name</strong> - name of the link associated to the file.</li><li><strong>hard_link_count</strong> - the number of links that are associated to the file.</li></ul>",
      "type": "json_t"
    },
    "data_classification": {
      "group": "context",
      "requirement": "recommended",
      "caption": "Data Classification",
      "description": "The Data Classification object includes information about data classification levels and data category types.",
      "type": "data_classification"
    },
    "raw_data": {
      "group": "context",
      "caption": "Raw Data",
      "description": "The event data as received from the event source.",
      "type": "json_t"
    },
    "record_id": {
      "description": "Unique identifier for the object",
      "group": "primary",
      "requirement": "required",
      "caption": "Record ID",
      "type": "string_t"
    },
    "unmapped": {
      "caption": "Unmapped Data",
      "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.",
      "type": "unmapped",
      "is_array": true
    },
    "fingerprints": {
      "requirement": "recommended",
      "caption": "Fingerprints",
      "description": "An array of digital fingerprint objects.",
      "is_array": true,
      "type": "fingerprint",
      "@deprecated": {
        "since": "1.1.0",
        "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
      }
    }
  },
  "constraints": {
    "at_least_one": [
      "name",
      "uid"
    ]
  }
}