## File Fieldsedit

A file is defined as a set of information that has been created on, or has existed on a filesystem.

File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric.

#### File Field Detailsedit

Field Description Level

Last time the file was accessed.

Note that not all filesystems keep track of access time.

type: date

extended

Array of file attributes.

Attributes names will vary by platform. Here’s a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write.

type: keyword

Note: this field should contain an array of values.

example: ["readonly", "system"]

extended

File creation time.

Note that not all filesystems store the creation time.

type: date

extended

Last time the file attributes or metadata changed.

Note that changes to the file content will update mtime. This implies ctime will be adjusted at the same time, since mtime is an attribute of the file.

type: date

extended

Device that is the source of the file.

type: keyword

example: sda

extended

Directory where the file is located. It should include the drive letter, when appropriate.

type: keyword

example: /home/alice

extended

Drive letter where the file is located. This field is only relevant on Windows.

The value should be uppercase, and not include the colon.

type: keyword

example: C

extended

File extension, excluding the leading dot.

Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").

type: keyword

example: png

extended

A fork is additional data associated with a filesystem object.

On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist.

On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called \$DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: C:\path\to\filename.extension:some_fork_name, and some_fork_name is the value that should populate fork_name. filename.extension should populate file.name, and extension should populate file.extension. The full path, file.path, will include the fork name.

type: keyword

example: Zone.Identifer

extended

Primary group ID (GID) of the file.

type: keyword

example: 1001

extended

Primary group name of the file.

type: keyword

example: alice

extended

Inode representing the file in the filesystem.

type: keyword

example: 256383

extended

MIME type should identify the format of the file or stream of bytes using IANA official types, where possible. When more than one type is applicable, the most specific type should be used.

type: keyword

extended

Mode of the file in octal representation.

type: keyword

example: 0640

extended

Last time the file content was modified.

type: date

extended

Name of the file including the extension, without the directory.

type: keyword

example: example.png

extended

type: keyword

example: alice

extended

[beta] Use of the match_only_text type in the .text multi-field is currently beta.

Full path to the file, including the file name. It should include the drive letter, when appropriate.

type: keyword

Multi-fields:

* file.path.text (type: match_only_text)

example: /home/alice/example.png

extended

File size in bytes.

Only relevant when file.type is "file".

type: long

example: 16384

extended

[beta] Use of the match_only_text type in the .text multi-field is currently beta.

type: keyword

Multi-fields:

* file.target_path.text (type: match_only_text)

extended

File type (file, dir, or symlink).

type: keyword

example: file

extended

The user ID (UID) or security identifier (SID) of the file owner.

type: keyword

example: 1001

extended

#### Field Reuseedit

The file fields are expected to be nested at:

• threat.enrichments.indicator.file
• threat.indicator.file

Note also that the file fields may be used directly at the root of the events.

##### Field sets that can be nested under Fileedit
Location Field Set Description

file.code_signature.*

code_signature

These fields contain information about binary code signatures.

file.elf.*

elf

[beta] This field reuse is beta and subject to change.

file.hash.*

hash

Hashes, usually file hashes.

file.pe.*

pe

These fields contain Windows Portable Executable (PE) metadata.

file.x509.*

x509

These fields contain x509 certificate metadata.