FileInfo Schema🔗
Note
Schema docs show the fields available for normalization. For a schema field to be populated in XDR, its corresponding field defined in the parser must exist in the original data. Normalized data shows in the Normalized Data tab of events and is searchable in XDR only if the corresponding field exists in the original data. The Schema Library in Data Lake Search shows only searchable fields.
file.proto🔗
Command🔗
Commmand holds a command and its execution context
| Field | Type | Label | Description |
|---|---|---|---|
| args | string | repeated | List of command arguments. |
| host_program | FileInfo | ||
| program | FileInfo | ||
| path_context | PathContext |
FileInfo🔗
| Field | Type | Label | Description |
|---|---|---|---|
| resource_id | string | Full resource string identifying the record | |
| tenant_id | string | The ID of the tenant that owns this specific to CTPX ID | |
| visibility | Visibility | Constraints on visibility of the record | |
| normalizer | string | Name & version of normalizer that created this record | |
| sensor_type | string | Ex: redcloak | |
| sensor_event_id | string | Event ID of original_data assigned by the sensor | |
| sensor_tenant | string | Ex: redloak-domain, ctp-client-id | |
| sensor_id | string | Ex: redcloak-agent-id | |
| sensor_cpe | string | CPE of the platform producing the alert. Example: cpe:2.3:a:secureworks:redcloak:*:*:*:*:*:*:* |
|
| original_data | string | Original, unadulterated data prior to any transformation. | |
| event_time_usec | uint64 | Event time in microseconds (µs) | |
| ingest_time_usec | uint64 | Ingest time in microseconds (µs). | |
| event_time_fidelity | TimeFidelity | Specifies the original precision of the time used to populate event_time_usec | |
| host_id | string | Host ID -- uniquely identifies the host where the event originated. e.g. IPv(4/6) address; Device Mac Address | |
| path | string | The full pathname of the file | |
| type | FileInfo.FileType | The type of file. @see FileType | |
| size | uint64 | File size in bytes | |
| sha1_hash | bytes | Deprecated. Hash of the file contents. Deprecated, use file_hash.sha1 instead. | |
| create_time_usec | uint64 | Time in microseconds (µs) at which the file was created | |
| access_time_usec | uint64 | Time in microseconds (µs) at which the file was last accessed (opened) | |
| mod_time_usec | uint64 | Time in microseconds (µs) at which the file was last modified | |
| attributes | string | String representation of file attributes such as type, perms, et.al. based on the underlying filesystem | |
| file_hash | FileInfo.Hash | A hash of the file contents | |
| path_context | PathContext | Indicates whether the underlying Windows DLL path was redirected based on the OS bytesize (32bit vs. 64bit) | |
| user_path | bool | Deprecated. TODO | |
| basename | string | Just the filename without the leading directory path | |
| native_path | string | For Windows, the native system directory used to access the DLL | |
| acl | string | repeated | Repeated to account for getfacl/setfacl output for POSIX if we want it in the future |
| version_info | VersionInfo | For Windows files, version info resides in the Resource section of executables | |
| signature | Signature | Digital signature information for OSes supporting signed executables | |
| os | OperatingSystem | operating system, architecture on which file encountered | |
| st_ino | uint64 | File status related attributes. Interestingly enough they may also be collected on Windows, backed by POSIX subsystem. |
Inode number | | st_mode | uint32 | | File type and mode | | st_nlink | uint32 | | Number of hard links | | st_uid | uint32 | | User ID of owner | | st_gid | uint32 | | Group ID of owner | | pivot | string | | Primary hunting pivot point of the data for grouping |
FileInfo.Hash🔗
Specifies the MAC used to hash some data
| Field | Type | Label | Description |
|---|---|---|---|
| md5 | string | ||
| sha1 | string | ||
| sha256 | string | ||
| sha512 | string |
Signature🔗
Digital signature information for Windows executables
| Field | Type | Label | Description |
|---|---|---|---|
| valid | bool | ||
| hash | string | ||
| program_name | string | ||
| publisher_link | string | ||
| more_info_link | string | ||
| serial_number | string | ||
| issuer_name | string | ||
| subject_name | string |
VersionInfo🔗
For Windows files, version info resides in the Resource section and is optionally filled in
| Field | Type | Label | Description |
|---|---|---|---|
| file_description | string | ||
| company_name | string | ||
| product_name | string | ||
| product_version | string | ||
| file_version | string | ||
| comments | string | ||
| legal_copyright | string | ||
| internal_name | string | ||
| original_file_name | string | ||
| language | uint32 | ||
| codepage | uint32 |
FileInfo.FileType🔗
| Name | Number | Description |
|---|---|---|
| UNKNOWN | 0 | unused but required for proto3 |
| REG | 1 | regular file |
| DIR | 2 | directory |
| LINK | 3 | symbolic link |
| WIN_FILE_TYPE_DISK | 101 | Inspector uses values from WinBase.h, which collide with above so we will convert The specified Windows file is a disk file |
| WIN_FILE_TYPE_CHAR | 102 | The specified Windows file is a character file, typically an LPT device or a console |
| WIN_FILE_TYPE_PIPE | 103 | The specified Windows file is a socket, a named pipe, or an anonymous pipe |
PathContext🔗
Windows path context refers to whether something is being redirected via WOW64: [https://docs.microsoft.com/en-us/windows/desktop/winprog64/file-system-redirector]{: target="_blank"}
| Name | Number | Description |
|---|---|---|
| PATH_UNUSED | 0 | |
| PATH_32 | 32 | |
| PATH_64 | 64 |