Class: File
The File object represents the metadata associated with a file stored in a
computer system. It encompasses information about the file itself, including
its attributes, properties, and organizational details.
URI: ocsf:File
classDiagram
class File
click File href "../File/"
DataClassificationProfile <|-- File
click DataClassificationProfile href "../DataClassificationProfile/"
Entity <|-- File
click Entity href "../Entity/"
File : accessed_time
File : accessor
File --> "0..1" User : accessor
click User href "../User/"
File : attributes
File : company_name
File : confidentiality
File : confidentiality_id
File --> "0..1" ConfidentialityIdEnum : confidentiality_id
click ConfidentialityIdEnum href "../ConfidentialityIdEnum/"
File : created_time
File : creator
File --> "0..1" User : creator
click User href "../User/"
File : data_classification
File --> "0..1 _recommended_" DataClassification : data_classification
click DataClassification href "../DataClassification/"
File : data_classifications
File --> "* _recommended_" DataClassification : data_classifications
click DataClassification href "../DataClassification/"
File : desc
File : drive_type
File : drive_type_id
File --> "0..1" DriveTypeIdEnum : drive_type_id
click DriveTypeIdEnum href "../DriveTypeIdEnum/"
File : encryption_details
File --> "0..1" EncryptionDetails : encryption_details
click EncryptionDetails href "../EncryptionDetails/"
File : ext
File : hashes
File --> "* _recommended_" Fingerprint : hashes
click Fingerprint href "../Fingerprint/"
File : imported_symbols
File : internal_name
File : is_deleted
File : is_encrypted
File : is_public
File : is_readonly
File : is_system
File : mime_type
File : modified_time
File : modifier
File --> "0..1" User : modifier
click User href "../User/"
File : name
File : owner
File --> "0..1" User : owner
click User href "../User/"
File : parent_folder
File : path
File : product
File --> "0..1" Product : product
click Product href "../Product/"
File : security_descriptor
File : signature
File --> "0..1" DigitalSignature : signature
click DigitalSignature href "../DigitalSignature/"
File : signatures
File --> "*" DigitalSignature : signatures
click DigitalSignature href "../DigitalSignature/"
File : size
File : storage_class
File : tags
File --> "*" KeyValueObject : tags
click KeyValueObject href "../KeyValueObject/"
File : type
File : type_id
File --> "1" FileTypeIdEnum : type_id
click FileTypeIdEnum href "../FileTypeIdEnum/"
File : uid
File : uri
File : url
File --> "0..1" Url : url
click Url href "../Url/"
File : version
File : volume
File : xattributes
File --> "0..1" Object : xattributes
click Object href "../Object/"
Inheritance
Slots
| Name | Cardinality and Range | Description | Inheritance |
|---|---|---|---|
| accessed_time | 0..1 TimestampT |
The time when the file was last accessed | direct |
| accessor | 0..1 User |
The name of the user who last accessed the object | direct |
| attributes | 0..1 Integer |
The bitmask value that represents the file attributes | direct |
| company_name | 0..1 String |
The name of the company that published the file | direct |
| confidentiality | 0..1 String |
The file content confidentiality, normalized to the confidentiality_id value | direct |
| confidentiality_id | 0..1 ConfidentialityIdEnum |
The normalized identifier of the file content confidentiality indicator | direct |
| created_time | 0..1 TimestampT |
The time when the file was created | direct |
| creator | 0..1 User |
The user that created the file | direct |
| desc | 0..1 String |
The description of the file, as returned by file system | direct |
| drive_type | 0..1 String |
The drive type, normalized to the caption of the drive_type_id |
direct |
| drive_type_id | 0..1 DriveTypeIdEnum |
Identifies the type of a disk drive, i | direct |
| encryption_details | 0..1 EncryptionDetails |
The encryption details of the file | direct |
| ext | 0..1 recommended String |
The extension of the file, excluding the leading dot | direct |
| hashes | * recommended Fingerprint |
An array of hash attributes | direct |
| imported_symbols | * String |
A list of symbols imported by the executable file | direct |
| internal_name | 0..1 String |
The name of the file as identified within the file itself | direct |
| is_deleted | 0..1 Boolean |
Indicates if the file was deleted from the filesystem | direct |
| is_encrypted | 0..1 Boolean |
Indicates if the file is encrypted | direct |
| is_public | 0..1 Boolean |
Indicates if the file is publicly accessible | direct |
| is_readonly | 0..1 Boolean |
Indicates that the file cannot be modified | direct |
| is_system | 0..1 Boolean |
The indication of whether the object is part of the operating system | direct |
| mime_type | 0..1 String |
The Multipurpose Internet Mail Extensions (MIME) type of the file, if | direct |
| modified_time | 0..1 TimestampT |
The time when the file was last modified | direct |
| modifier | 0..1 User |
The user that last modified the file | direct |
| name | 1 recommended String |
The name of the file | direct |
| owner | 0..1 User |
The user that owns the file/object | direct |
| parent_folder | 0..1 String |
The parent folder in which the file resides | direct |
| path | 0..1 recommended String |
The full path to the file | direct |
| product | 0..1 Product |
The product that created or installed the file | direct |
| security_descriptor | 0..1 String |
The object security descriptor | direct |
| signature | 0..1 DigitalSignature |
The digital signature of the file | direct |
| signatures | * DigitalSignature |
A collection of Digital Signature objects |
direct |
| size | 0..1 Integer |
The size of data, in bytes | direct |
| storage_class | 0..1 String |
The storage class of the file | direct |
| tags | * KeyValueObject |
The list of tags; {key:value} pairs associated to the file |
direct |
| type | 0..1 String |
The file type | direct |
| type_id | 1 FileTypeIdEnum |
The file type ID | direct |
| uid | 0..1 recommended String |
The unique identifier of the file as defined by the storage system, such the | direct |
| uri | 0..1 UrlT |
The file URI, such as those reporting by static analysis tools | direct |
| url | 0..1 Url |
The URL of the file, when applicable | direct |
| version | 0..1 String |
The file version | direct |
| volume | 0..1 String |
The volume on the storage device where the file is located | direct |
| xattributes | 0..1 Object |
An unordered collection of zero or more name/value pairs where each pair | direct |
| data_classification | 0..1 recommended DataClassification |
The Data Classification object includes information about data classification | DataClassificationProfile |
| data_classifications | * recommended DataClassification |
A list of Data Classification objects, that include information about data | DataClassificationProfile |
Usages
In Subsets
Aliases
- File
See Also
Notes
- D3FEND™ Ontology d3f:File — https://next.d3fend.mitre.org/dao/artifact/d3f:File/
Identifier and Mapping Information
Annotations
| property | value |
|---|---|
| observable_id | 24 |
Schema Source
- from schema: https://w3id.org/lmodel/ocsf
Mappings
| Mapping Type | Mapped Value |
|---|---|
| self | ocsf:File |
| native | ocsf:File |
| exact | stix:File, uco_master:File |
LinkML Source
Direct
name: File
annotations:
observable_id:
tag: observable_id
value: 24
description: 'The File object represents the metadata associated with a file stored
in a
computer system. It encompasses information about the file itself, including
its attributes, properties, and organizational details.'
notes:
- 'D3FEND™ Ontology d3f:File —
https://next.d3fend.mitre.org/dao/artifact/d3f:File/'
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://next.d3fend.mitre.org/dao/artifact/d3f:File/
aliases:
- File
exact_mappings:
- stix:File
- uco_master:File
is_a: Entity
mixins:
- DataClassificationProfile
slots:
- accessed_time
- accessor
- attributes
- company_name
- confidentiality
- confidentiality_id
- created_time
- creator
- desc
- drive_type
- drive_type_id
- encryption_details
- ext
- hashes
- imported_symbols
- internal_name
- is_deleted
- is_encrypted
- is_public
- is_readonly
- is_system
- mime_type
- modified_time
- modifier
- name
- owner
- parent_folder
- path
- product
- security_descriptor
- signature
- signatures
- size
- storage_class
- tags
- type
- type_id
- uid
- uri
- url
- version
- volume
- xattributes
slot_usage:
created_time:
name: created_time
description: The time when the file was created.
creator:
name: creator
description: The user that created the file.
desc:
name: desc
description: 'The description of the file, as returned by file system. For example:
the
description as returned by the Unix file command or the Windows file type.'
encryption_details:
name: encryption_details
description: 'The encryption details of the file. Should be populated if the file
is
encrypted.'
ext:
name: ext
description: 'The extension of the file, excluding the leading dot. For example:
<code>exe</code> from <code>svchost.exe</code>, or <code>gz</code> from
<code>export.tar.gz</code>.'
recommended: true
hashes:
name: hashes
recommended: true
internal_name:
name: internal_name
description: 'The name of the file as identified within the file itself. This
contrasts with
the name by which the file is known on disk. Where available, the internal name
is widely used by security practitioners and detection content because the
on-disk file name is not reliable. On the Windows OS, most PE files contain
a
<a
href="https://learn.microsoft.com/en-us/windows/win32/menurc/versioninfo-resource">VERSIONINFO</a>
resource from which the internal name can be obtained. On macOS, binaries can
optionally embed a copy of the application''s Info.plist file which in turn
contains the name of the executable.'
is_deleted:
name: is_deleted
description: Indicates if the file was deleted from the filesystem.
is_encrypted:
name: is_encrypted
description: Indicates if the file is encrypted.
is_public:
name: is_public
description: 'Indicates if the file is publicly accessible. For example in an
object''s public
access in AWS S3'
is_readonly:
name: is_readonly
description: Indicates that the file cannot be modified.
modified_time:
name: modified_time
description: The time when the file was last modified.
modifier:
name: modifier
description: The user that last modified the file.
name:
name: name
description: 'The name of the file. For example: <code>svchost.exe</code>'
required: true
path:
name: path
description: 'The full path to the file. For example:
<code>c:\windows\system32\svchost.exe</code>.'
recommended: true
product:
name: product
description: The product that created or installed the file.
signature:
name: signature
deprecated: Use the <code>signatures</code> attribute.
storage_class:
name: storage_class
description: 'The storage class of the file. For example in AWS S3: <code>STANDARD,
STANDARD_IA, GLACIER</code>.'
tags:
name: tags
description: The list of tags; <code>{key:value}</code> pairs associated to the
file.
type:
name: type
description: The file type.
type_id:
name: type_id
description: 'The file type ID. Note the distinction between a <code>Regular File</code>
and
an <code>Executable File</code>. If the distinction is not known, or not
indicated by the log, use <code>Regular File</code>. In this case, it should
not be assumed that a Regular File is not executable.'
range: FileTypeIdEnum
required: true
uid:
name: uid
description: 'The unique identifier of the file as defined by the storage system,
such the
file system file ID.'
uri:
name: uri
description: 'The file URI, such as those reporting by static analysis tools.
E.g.,
<code>file:///C:/dev/sarif/sarif-tutorials/samples/Introduction/simple-example.js</code>'
url:
name: url
description: The URL of the file, when applicable.
version:
name: version
description: 'The file version. For example: <code>8.0.7601.17514</code>.'
volume:
name: volume
description: The volume on the storage device where the file is located.
Induced
name: File
annotations:
observable_id:
tag: observable_id
value: 24
description: 'The File object represents the metadata associated with a file stored
in a
computer system. It encompasses information about the file itself, including
its attributes, properties, and organizational details.'
notes:
- 'D3FEND™ Ontology d3f:File —
https://next.d3fend.mitre.org/dao/artifact/d3f:File/'
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://next.d3fend.mitre.org/dao/artifact/d3f:File/
aliases:
- File
exact_mappings:
- stix:File
- uco_master:File
is_a: Entity
mixins:
- DataClassificationProfile
slot_usage:
created_time:
name: created_time
description: The time when the file was created.
creator:
name: creator
description: The user that created the file.
desc:
name: desc
description: 'The description of the file, as returned by file system. For example:
the
description as returned by the Unix file command or the Windows file type.'
encryption_details:
name: encryption_details
description: 'The encryption details of the file. Should be populated if the file
is
encrypted.'
ext:
name: ext
description: 'The extension of the file, excluding the leading dot. For example:
<code>exe</code> from <code>svchost.exe</code>, or <code>gz</code> from
<code>export.tar.gz</code>.'
recommended: true
hashes:
name: hashes
recommended: true
internal_name:
name: internal_name
description: 'The name of the file as identified within the file itself. This
contrasts with
the name by which the file is known on disk. Where available, the internal name
is widely used by security practitioners and detection content because the
on-disk file name is not reliable. On the Windows OS, most PE files contain
a
<a
href="https://learn.microsoft.com/en-us/windows/win32/menurc/versioninfo-resource">VERSIONINFO</a>
resource from which the internal name can be obtained. On macOS, binaries can
optionally embed a copy of the application''s Info.plist file which in turn
contains the name of the executable.'
is_deleted:
name: is_deleted
description: Indicates if the file was deleted from the filesystem.
is_encrypted:
name: is_encrypted
description: Indicates if the file is encrypted.
is_public:
name: is_public
description: 'Indicates if the file is publicly accessible. For example in an
object''s public
access in AWS S3'
is_readonly:
name: is_readonly
description: Indicates that the file cannot be modified.
modified_time:
name: modified_time
description: The time when the file was last modified.
modifier:
name: modifier
description: The user that last modified the file.
name:
name: name
description: 'The name of the file. For example: <code>svchost.exe</code>'
required: true
path:
name: path
description: 'The full path to the file. For example:
<code>c:\windows\system32\svchost.exe</code>.'
recommended: true
product:
name: product
description: The product that created or installed the file.
signature:
name: signature
deprecated: Use the <code>signatures</code> attribute.
storage_class:
name: storage_class
description: 'The storage class of the file. For example in AWS S3: <code>STANDARD,
STANDARD_IA, GLACIER</code>.'
tags:
name: tags
description: The list of tags; <code>{key:value}</code> pairs associated to the
file.
type:
name: type
description: The file type.
type_id:
name: type_id
description: 'The file type ID. Note the distinction between a <code>Regular File</code>
and
an <code>Executable File</code>. If the distinction is not known, or not
indicated by the log, use <code>Regular File</code>. In this case, it should
not be assumed that a Regular File is not executable.'
range: FileTypeIdEnum
required: true
uid:
name: uid
description: 'The unique identifier of the file as defined by the storage system,
such the
file system file ID.'
uri:
name: uri
description: 'The file URI, such as those reporting by static analysis tools.
E.g.,
<code>file:///C:/dev/sarif/sarif-tutorials/samples/Introduction/simple-example.js</code>'
url:
name: url
description: The URL of the file, when applicable.
version:
name: version
description: 'The file version. For example: <code>8.0.7601.17514</code>.'
volume:
name: volume
description: The volume on the storage device where the file is located.
attributes:
accessed_time:
name: accessed_time
description: The time when the file was last accessed.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Accessed Time
rank: 1000
alias: accessed_time
owner: File
domain_of:
- File
range: TimestampT
accessor:
name: accessor
description: The name of the user who last accessed the object.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Accessor
rank: 1000
alias: accessor
owner: File
domain_of:
- File
range: User
attributes:
name: attributes
description: The bitmask value that represents the file attributes.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Attributes
rank: 1000
alias: attributes
owner: File
domain_of:
- File
range: integer
company_name:
name: company_name
description: 'The name of the company that published the file. For example: <code>Microsoft
Corporation</code>.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Company Name
rank: 1000
alias: company_name
owner: File
domain_of:
- File
range: string
confidentiality:
name: confidentiality
description: 'The file content confidentiality, normalized to the confidentiality_id
value.
In the case of ''Other'', it is defined by the event source.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Confidentiality
rank: 1000
alias: confidentiality
owner: File
domain_of:
- DataClassification
- File
range: string
confidentiality_id:
name: confidentiality_id
annotations:
sibling:
tag: sibling
value: confidentiality
description: The normalized identifier of the file content confidentiality indicator.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Confidentiality ID
rank: 1000
alias: confidentiality_id
owner: File
domain_of:
- DataClassification
- File
range: ConfidentialityIdEnum
created_time:
name: created_time
description: The time when the file was created.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Created Time
rank: 1000
alias: created_time
owner: File
domain_of:
- Osint
- RelatedEvent
- Sbom
- Scim
- Session
- Sso
- Token
- Whois
- Resource
- Advisory
- AuthenticationToken
- Certificate
- Cve
- Database
- Databucket
- DigitalSignature
- Enrichment
- Epss
- File
- FindingObject
- FindingInfo
- Job
- KbArticle
- LdapPerson
- ProcessEntity
- Table
- Device
range: TimestampT
creator:
name: creator
description: The user that created the file.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Creator
rank: 1000
alias: creator
owner: File
domain_of:
- Osint
- File
range: User
desc:
name: desc
description: 'The description of the file, as returned by file system. For example:
the
description as returned by the Unix file command or the Windows file type.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Description
rank: 1000
alias: desc
owner: File
domain_of:
- Osint
- RelatedEvent
- Remediation
- Vulnerability
- Advisory
- Analytic
- ApplicationObject
- Assessment
- Check
- CisBenchmark
- CisBenchmarkResult
- CisControl
- Compliance
- Cve
- Database
- Databucket
- Enrichment
- File
- FindingObject
- FindingInfo
- Graph
- Group
- Job
- Location
- Node
- Policy
- Rule
- Table
- WebResource
- Device
- IncidentFinding
range: string
drive_type:
name: drive_type
description: 'The drive type, normalized to the caption of the <code>drive_type_id</code>
value. In the case of <code>Other</code>, it is defined by the source.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Drive Type
rank: 1000
alias: drive_type
owner: File
domain_of:
- File
range: string
drive_type_id:
name: drive_type_id
annotations:
sibling:
tag: sibling
value: drive_type
description: Identifies the type of a disk drive, i.e. fixed, removable, etc.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Drive Type ID
rank: 1000
alias: drive_type_id
owner: File
domain_of:
- File
range: DriveTypeIdEnum
encryption_details:
name: encryption_details
description: 'The encryption details of the file. Should be populated if the file
is
encrypted.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Encryption Details
rank: 1000
alias: encryption_details
owner: File
domain_of:
- AuthenticationToken
- Databucket
- File
range: EncryptionDetails
ext:
name: ext
description: 'The extension of the file, excluding the leading dot. For example:
<code>exe</code> from <code>svchost.exe</code>, or <code>gz</code> from
<code>export.tar.gz</code>.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Extension
rank: 1000
alias: ext
owner: File
domain_of:
- File
range: string
recommended: true
hashes:
name: hashes
description: An array of hash attributes.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Hashes
rank: 1000
alias: hashes
owner: File
domain_of:
- Script
- File
range: Fingerprint
recommended: true
multivalued: true
imported_symbols:
name: imported_symbols
description: A list of symbols imported by the executable file.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Imported Symbols
rank: 1000
alias: imported_symbols
owner: File
domain_of:
- File
range: string
multivalued: true
internal_name:
name: internal_name
description: 'The name of the file as identified within the file itself. This
contrasts with
the name by which the file is known on disk. Where available, the internal name
is widely used by security practitioners and detection content because the
on-disk file name is not reliable. On the Windows OS, most PE files contain
a
<a
href="https://learn.microsoft.com/en-us/windows/win32/menurc/versioninfo-resource">VERSIONINFO</a>
resource from which the internal name can be obtained. On macOS, binaries can
optionally embed a copy of the application''s Info.plist file which in turn
contains the name of the executable.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Internal Name
rank: 1000
alias: internal_name
owner: File
domain_of:
- File
range: string
is_deleted:
name: is_deleted
description: Indicates if the file was deleted from the filesystem.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Deleted
rank: 1000
alias: is_deleted
owner: File
domain_of:
- File
range: boolean
is_encrypted:
name: is_encrypted
description: Indicates if the file is encrypted.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Encrypted
rank: 1000
alias: is_encrypted
owner: File
domain_of:
- Databucket
- File
range: boolean
is_public:
name: is_public
description: 'Indicates if the file is publicly accessible. For example in an
object''s public
access in AWS S3'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Public
rank: 1000
alias: is_public
owner: File
domain_of:
- Databucket
- File
range: boolean
is_readonly:
name: is_readonly
description: Indicates that the file cannot be modified.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Read-Only
rank: 1000
alias: is_readonly
owner: File
domain_of:
- File
range: boolean
is_system:
name: is_system
description: The indication of whether the object is part of the operating system.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- System
rank: 1000
alias: is_system
owner: File
domain_of:
- File
- Kernel
- RegKey
- RegValue
range: boolean
mime_type:
name: mime_type
description: 'The Multipurpose Internet Mail Extensions (MIME) type of the file,
if
applicable.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- MIME type
rank: 1000
alias: mime_type
owner: File
domain_of:
- File
range: string
modified_time:
name: modified_time
description: The time when the file was last modified.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Modified Time
rank: 1000
alias: modified_time
owner: File
domain_of:
- Osint
- RelatedEvent
- Scim
- Sso
- Token
- Resource
- Advisory
- Cve
- Database
- Databucket
- File
- FindingObject
- FindingInfo
- LdapPerson
- Metadata
- Table
- Device
- RegKey
- RegValue
range: TimestampT
modifier:
name: modifier
description: The user that last modified the file.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Modifier
rank: 1000
alias: modifier
owner: File
domain_of:
- File
range: User
name:
name: name
description: 'The name of the file. For example: <code>svchost.exe</code>'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Name
rank: 1000
alias: name
owner: File
domain_of:
- AnalysisTarget
- Observable
- Os
- Osint
- Package
- Parameter
- PrivilegeInfo
- San
- Scim
- Script
- ServicePrivilegeAnalysis
- SoftwareComponent
- Sso
- StartupItem
- ThreatActor
- Token
- Entity
- Resource
- Account
- Agent
- AiModel
- Aircraft
- Analytic
- ApplicationObject
- Assessment
- AutonomousSystem
- Campaign
- Check
- CisBenchmark
- CisBenchmarkResult
- CisControl
- ClassifierDetails
- Container
- D3fTactic
- D3fTechnique
- Database
- Databucket
- DomainContact
- Edge
- Endpoint
- Enrichment
- EnvironmentVariable
- Evidences
- Extension
- Feature
- File
- Graph
- Group
- HttpCookie
- HttpHeader
- Idp
- Image
- Job
- Kernel
- KeyValueObject
- LoadBalancer
- Logger
- Malware
- ManagedEntity
- MessageContext
- Metric
- Mitigation
- NetworkInterface
- Node
- Organization
- PeripheralDevice
- Policy
- ProcessEntity
- Product
- QueryInfo
- Reporter
- ResourceDetails
- Rule
- Scan
- Service
- SubTechnique
- Table
- Tactic
- Technique
- Trait
- TransformationInfo
- UnmannedAerialSystem
- User
- WebResource
- Device
- FtpActivity
- RegValue
- WinResource
- WinService
- PrefetchQuery
range: string
required: true
recommended: true
owner:
name: owner
description: The user that owns the file/object.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Owner
rank: 1000
alias: owner
owner: File
domain_of:
- AffectedCode
- ApplicationObject
- Databucket
- Endpoint
- File
- ResourceDetails
range: User
parent_folder:
name: parent_folder
description: 'The parent folder in which the file resides. For example:
<code>c:\windows\system32</code>'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Parent Folder
rank: 1000
alias: parent_folder
owner: File
domain_of:
- File
range: string
path:
name: path
description: 'The full path to the file. For example:
<code>c:\windows\system32\svchost.exe</code>.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Path
rank: 1000
alias: path
owner: File
domain_of:
- Url
- AffectedPackage
- File
- HttpCookie
- Image
- Kernel
- Malware
- ProcessEntity
- Product
- RegKey
- RegValue
range: string
recommended: true
product:
name: product
description: The product that created or installed the file.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Product
rank: 1000
alias: product
owner: File
domain_of:
- RelatedEvent
- Sbom
- Advisory
- Cve
- File
- FindingObject
- FindingInfo
- KbArticle
- Logger
- Metadata
- TransformationInfo
- SoftwareInfo
range: Product
security_descriptor:
name: security_descriptor
description: The object security descriptor.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Security Descriptor
rank: 1000
alias: security_descriptor
owner: File
domain_of:
- File
- RegKey
range: string
signature:
name: signature
description: The digital signature of the file.
deprecated: Use the <code>signatures</code> attribute.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Digital Signature
rank: 1000
alias: signature
owner: File
domain_of:
- File
range: DigitalSignature
signatures:
name: signatures
description: A collection of <code>Digital Signature</code> objects.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Digital Signatures
rank: 1000
alias: signatures
owner: File
domain_of:
- Osint
- File
range: DigitalSignature
multivalued: true
size:
name: size
description: The size of data, in bytes.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Size
rank: 1000
alias: size
owner: File
domain_of:
- Advisory
- Container
- DataClassification
- Database
- Databucket
- Email
- File
- KbArticle
- Table
- MalwareScanInfo
- MemoryActivity
range: integer
storage_class:
name: storage_class
description: 'The storage class of the file. For example in AWS S3: <code>STANDARD,
STANDARD_IA, GLACIER</code>.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Storage Class
rank: 1000
alias: storage_class
owner: File
domain_of:
- File
range: string
tags:
name: tags
description: The list of tags; <code>{key:value}</code> pairs associated to the
file.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Tags
rank: 1000
alias: tags
owner: File
domain_of:
- RelatedEvent
- Resource
- Account
- ApplicationObject
- Container
- File
- FindingInfo
- Image
- LdapPerson
- Metadata
- Service
range: KeyValueObject
multivalued: true
type:
name: type
description: The file type.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Type
rank: 1000
alias: type
owner: File
domain_of:
- AnalysisTarget
- Observable
- Os
- Osint
- Package
- PrivilegeInfo
- ProgrammaticCredential
- RelatedEvent
- San
- Sbom
- Script
- SoftwareComponent
- StartupItem
- ThreatActor
- Ticket
- Timespan
- TlsExtension
- Token
- Dns
- Resource
- Account
- Agent
- Analytic
- ApplicationObject
- AuthenticationToken
- ClassifierDetails
- Cve
- Database
- Databucket
- DiscoveryDetails
- DnsAnswer
- DomainContact
- EncryptionDetails
- Endpoint
- Enrichment
- File
- Graph
- Group
- Ja4Fingerprint
- Kernel
- ManagedEntity
- Metadata
- Module
- NetworkEndpoint
- NetworkInterface
- Node
- PeripheralDevice
- Policy
- Rule
- Scan
- Trait
- UnmannedAerialSystem
- UnmannedSystemOperatingArea
- User
- WebResource
- Device
- DatastoreActivity
- FtpActivity
- RegValue
- WinResource
range: string
type_id:
name: type_id
annotations:
sibling:
tag: sibling
value: type
description: 'The file type ID. Note the distinction between a <code>Regular File</code>
and
an <code>Executable File</code>. If the distinction is not known, or not
indicated by the log, use <code>Regular File</code>. In this case, it should
not be assumed that a Regular File is not executable.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Type ID
rank: 1000
alias: type_id
owner: File
domain_of:
- Observable
- Os
- Osint
- Package
- PrivilegeInfo
- Sbom
- Script
- SoftwareComponent
- StartupItem
- ThreatActor
- Ticket
- Timespan
- TlsExtension
- Token
- Account
- Agent
- Analytic
- AuthenticationToken
- Database
- Databucket
- DomainContact
- Endpoint
- File
- Ja4Fingerprint
- Kernel
- ManagedEntity
- NetworkEndpoint
- NetworkInterface
- PeripheralDevice
- Scan
- UnmannedAerialSystem
- UnmannedSystemOperatingArea
- User
- Device
- DatastoreActivity
- RegValue
- WinResource
range: FileTypeIdEnum
required: true
uid:
name: uid
description: 'The unique identifier of the file as defined by the storage system,
such the
file system file ID.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Unique ID
rank: 1000
alias: uid
owner: File
domain_of:
- Osint
- Package
- ProgrammaticCredential
- RelatedEvent
- Request
- Sbom
- Scim
- Script
- Session
- Span
- Sso
- Ticket
- Token
- Trace
- Entity
- Resource
- Account
- Advisory
- Agent
- AiModel
- Aircraft
- Analytic
- ApplicationObject
- Assessment
- Certificate
- Check
- ClassifierDetails
- Container
- Cve
- Cwe
- D3fTactic
- D3fTechnique
- DataClassification
- Database
- Databucket
- DomainContact
- Edge
- Email
- Endpoint
- Evidences
- Extension
- Feature
- File
- FindingObject
- FindingInfo
- Graph
- Group
- HttpRequest
- Idp
- Image
- KbArticle
- LoadBalancer
- Logger
- Malware
- ManagedEntity
- MessageContext
- Metadata
- Mitigation
- NetworkConnectionInfo
- NetworkEndpoint
- NetworkInterface
- Node
- Organization
- PeripheralDevice
- Policy
- ProcessEntity
- Product
- QueryInfo
- Reporter
- Rule
- Scan
- Service
- SubTechnique
- Table
- Tactic
- Technique
- Trait
- TransformationInfo
- UnmannedAerialSystem
- User
- WebResource
- Device
- WinResource
range: string
recommended: true
uri:
name: uri
description: 'The file URI, such as those reporting by static analysis tools.
E.g.,
<code>file:///C:/dev/sarif/sarif-tutorials/samples/Introduction/simple-example.js</code>'
notes:
- RFC 3986 — https://datatracker.ietf.org/doc/html/rfc3986
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://datatracker.ietf.org/doc/html/rfc3986
aliases:
- URI
rank: 1000
alias: uri
owner: File
domain_of:
- File
range: UrlT
url:
name: url
description: The URL of the file, when applicable.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- URL
rank: 1000
alias: url
owner: File
domain_of:
- ApplicationObject
- Evidences
- File
- HttpRequest
- EmailUrlActivity
- NetworkActivity
range: Url
version:
name: version
description: 'The file version. For example: <code>8.0.7601.17514</code>.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Version
rank: 1000
alias: version
owner: File
domain_of:
- Os
- Package
- RpcInterface
- Sbom
- Scim
- SoftwareComponent
- Tls
- Agent
- AiModel
- Analytic
- Api
- ApplicationObject
- Attack
- Certificate
- Check
- CisControl
- CisCsc
- Cvss
- D3fend
- Databucket
- Epss
- Extension
- Feature
- File
- HttpRequest
- Logger
- ManagedEntity
- Metadata
- Policy
- Product
- ResourceDetails
- Rule
- Service
- NtpActivity
range: string
volume:
name: volume
description: The volume on the storage device where the file is located.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Volume
rank: 1000
alias: volume
owner: File
domain_of:
- File
range: string
xattributes:
name: xattributes
description: 'An unordered collection of zero or more name/value pairs where each
pair
represents a file or folder extended attribute.</p>For example: Windows
alternate data stream attributes (ADS stream name, ADS size, etc.),
user-defined or application-defined attributes, ACL, owner, primary group, etc.
Examples from DCS:
</p><ul><li><strong>ads_name</strong></li><li><strong>ads_size</strong></li><li><strong>dacl</strong></li><li><strong>owner</strong></li><li><strong>primary_group</strong></li><li><strong>link_name</strong>
- name of the link associated to the
file.</li><li><strong>hard_link_count</strong> - the number of links that are
associated to the file.</li></ul>'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Extended Attributes
rank: 1000
alias: xattributes
owner: File
domain_of:
- File
- Process
range: Object
data_classification:
name: data_classification
annotations:
group:
tag: group
value: context
description: 'The Data Classification object includes information about data classification
levels and data category types.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Data Classification
rank: 1000
alias: data_classification
owner: File
domain_of:
- DataClassificationProfile
range: DataClassification
recommended: true
data_classifications:
name: data_classifications
annotations:
group:
tag: group
value: context
description: 'A list of Data Classification objects, that include information
about data
classification levels and data category types, identified by a classifier.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Data Classification
rank: 1000
alias: data_classifications
owner: File
domain_of:
- DataClassificationProfile
range: DataClassification
recommended: true
multivalued: true