File Fieldsedit

A file is defined as a set of information that has been created on, or has existed on a filesystem.

File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric.

File Field Detailsedit

Field Description Level

file.ctime

Last time file metadata changed.

type: date

extended

file.device

Device that is the source of the file.

type: keyword

extended

file.extension

File extension.

This should allow easy filtering by file extensions.

type: keyword

example: png

extended

file.gid

Primary group ID (GID) of the file.

type: keyword

extended

file.group

Primary group name of the file.

type: keyword

extended

file.inode

Inode representing the file in the filesystem.

type: keyword

extended

file.mode

Mode of the file in octal representation.

type: keyword

example: 416

extended

file.mtime

Last time file content was modified.

type: date

extended

file.owner

File owner’s username.

type: keyword

extended

file.path

Path to the file.

type: keyword

extended

file.size

File size in bytes (field is only added when type is file).

type: long

extended

file.target_path

Target path for symlinks.

type: keyword

extended

file.type

File type (file, dir, or symlink).

type: keyword

extended

file.uid

The user ID (UID) or security identifier (SID) of the file owner.

type: keyword

extended