Contents

file

Contents

file

Event fields used to define/normalize metadata about files either locally or over the wire (Network Traffic). This entity and attributes can extend other entities such as source and destination.

Attributes

Name

Type

Description

Sample Value

file_accessed_time

date

When the file was last accessed . Also known as atime

2016-11-25 18:21:47

file_changed_time

date

When the file was last changed. Also known as ctime

2016-11-25 18:21:47

file_company

string

Company name a file belongs to

Microsoft Corporation

file_creation_time

date

When the file was created. Also known as crtime

2016-11-25 18:21:47

file_description

string

Description of a file

Console Window Host

file_directory

string

Directory of file(s). It does not include the file name

C:\users\wardog\

file_extension

string

The extension name or type of the file.

exe

file_hard_links

integer

Number of hard links

3

file_hash_imphash

string

IMPHASH hash of the image/binary/file

2505BD03D7BD285E50CE89CEC02B333B

file_hash_md5

string

MD5 hash of the image/binary/file

6A255BEBF3DBCD13585538ED47DBAFD7

file_hash_sha1

string

SHA1 hash of the image/binary/file

B0BF5AC2E81BBF597FAD5F349FEEB32CAC449FA2

file_hash_sha256

string

SHA256 hash of the image/binary/file

4668BB2223FFB983A5F1273B9E3D9FA2C5CE4A0F1FB18CA5C1B285762020073C

file_hash_sha512

string

SHA512 hash of the image/binary/file

1AD1D79F85D8F6A50EA282F63898D652661DAA0C1FD361C22647CABC98A70E8CBCE83200D579D10DD0A3D46BE9496DCDFDDF28B0C5E9709343B032A8796FBECB

file_inode

integer

Filesystem inode number

``````

file_link_name

string

path of the hard link

C:\Docs\My.exe

file_mime_type

string

MIME type name specified for the file

application/msword

file_modified_time

date

When the file was last modified. Also known as mtime

2016-11-25 18:21:47

file_name

string

name of the file without its full path. This could be a local file or one transmitted over the network.

a.exe

file_path

string

full path of a file including the name of the file. This could be a local file or one transmitted over the network.

C:\users\wardog\z.exe

file_previous_accessed_time

date

When the file was previously accessed

2016-11-25 18:21:47

file_previous_changed_time

date

When the file was previously changed

2016-11-25 18:21:47

file_previous_creation_time

date

When the file was previously created

2016-11-25 18:21:47

file_previous_modified_time

date

When the file was previously modified

2016-11-25 18:21:47

file_previous_name

string

The file’s previous name

cmd.exe

file_previous_path

string

The file’s previous path

C:\\Windows\system32\cmd.exe

file_product

string

The file’s product name

Microsoft® Windows® Operating System

file_size

integer

Size of the file, in bytes.

45

file_symlink

integer

1 if the path is a symlink, otherwise 0

0

file_symlink_name

string

path of the symlink

C:\Docs\My.exe

file_system_block_size

integer

Block size of filesystem

``````

file_system_type

string

The file system type, ex: fat32, ntfs, vmfs, ext3, ext4, xfs

ntfs

file_version

string

file version. i.e. image loaded version

10.0.16299.15 (WinBuild.160101.0800)

previous

event

next

geo