FileInfo Schema
file.proto ⫘
Command ⫘
Commmand holds a command and it's execution context
Field | Type | Label | Description |
---|---|---|---|
args | string | repeated | List of command arguments. |
host_program | FileInfo | ||
program | FileInfo | ||
path_context | PathContext |
FileInfo ⫘
Field | Type | Label | Description |
---|---|---|---|
resource_id | string | Full resource string identifying the record | |
tenant_id | string | The ID of the tenant that owns this specific to CTPX ID | |
visibility | Visibility | Constraints on visibility of the record | |
normalizer | string | Name & version of normalizer that created this record | |
sensor_type | string | Ex: redcloak | |
sensor_event_id | string | Event ID of original_data assigned by the sensor | |
sensor_tenant | string | Ex: redloak-domain, ctp-client-id | |
sensor_id | string | Ex: redcloak-agent-id | |
sensor_cpe | string | CPE of the platform producing the alert. Ex: cpe:2.3:a:secureworks:redcloak:::::::: | |
original_data | string | Original, unadulterated data prior to any transformation. | |
event_time_usec | uint64 | Event time in microseconds (µs) | |
ingest_time_usec | uint64 | Ingest time in microseconds (µs). | |
event_time_fidelity | TimeFidelity | Specifies the original precision of the time used to populate event_time_usec | |
host_id | string | Host ID -- uniquely identifies the host where the event originated. e.g. IPv(4/6) address; Device Mac Address | |
path | string | The full pathname of the file | |
type | FileInfo.FileType | The type of file. @see FileType | |
size | uint64 | File size in bytes | |
sha1_hash | bytes | Deprecated. Hash of the file contents. Deprecated, use file_hash.sha1 instead. | |
create_time_usec | uint64 | Time in microseconds (µs) at which the file was created | |
access_time_usec | uint64 | Time in microseconds (µs) at which the file was last accessed (opened) | |
mod_time_usec | uint64 | Time in microseconds (µs) at which the file was last modified | |
attributes | string | String representation of file attributes such as type, perms, et.al. based on the underlying filesystem | |
file_hash | FileInfo.Hash | A hash of the file contents | |
path_context | PathContext | Indicates whether the underlying Windows DLL path was redirected based on the OS bytesize (32bit vs. 64bit) | |
user_path | bool | Deprecated. TODO | |
basename | string | Just the filename without the leading directory path | |
native_path | string | For Windows, the native system directory used to access the DLL | |
acl | string | repeated | Repeated to account for getfacl/setfacl output for POSIX if we want it in the future |
version_info | VersionInfo | For Windows files, version info resides in the Resource section of executables | |
signature | Signature | Digital signature information for OSes supporting signed executables | |
os | OperatingSystem | operating system, architecture on which file encountered | |
st_ino | uint64 | File status related attributes. Interestingly enough they may also be collected on Windows, backed by POSIX subsystem. |
Inode number | | st_mode | uint32 | | File type and mode | | st_nlink | uint32 | | Number of hard links | | st_uid | uint32 | | User ID of owner | | st_gid | uint32 | | Group ID of owner | | pivot | string | | Primary hunting pivot point of the data for grouping |
FileInfo.Hash ⫘
Specifies the MAC used to hash some data
Field | Type | Label | Description |
---|---|---|---|
md5 | string | ||
sha1 | string | ||
sha256 | string | ||
sha512 | string |
Signature ⫘
Digital signature information for Windows executables
Field | Type | Label | Description |
---|---|---|---|
valid | bool | ||
hash | string | ||
program_name | string | ||
publisher_link | string | ||
more_info_link | string | ||
serial_number | string | ||
issuer_name | string | ||
subject_name | string |
VersionInfo ⫘
For Windows files, version info resides in the Resource section and is optionally filled in
Field | Type | Label | Description |
---|---|---|---|
file_description | string | ||
company_name | string | ||
product_name | string | ||
product_version | string | ||
file_version | string | ||
comments | string | ||
legal_copyright | string | ||
internal_name | string | ||
original_file_name | string | ||
language | uint32 | ||
codepage | uint32 |
FileInfo.FileType ⫘
Name | Number | Description |
---|---|---|
UNKNOWN | 0 | unused but required for proto3 |
REG | 1 | regular file |
DIR | 2 | directory |
LINK | 3 | symbolic link |
WIN_FILE_TYPE_DISK | 101 | Inspector uses values from WinBase.h, which collide with above so we will convert The specified Windows file is a disk file |
WIN_FILE_TYPE_CHAR | 102 | The specified Windows file is a character file, typically an LPT device or a console |
WIN_FILE_TYPE_PIPE | 103 | The specified Windows file is a socket, a named pipe, or an anonymous pipe |
PathContext ⫘
Windows path context refers to whether something is being redirected via WOW64: https://docs.microsoft.com/en-us/windows/desktop/winprog64/file-system-redirector{: target="_blank"}
Name | Number | Description |
---|---|---|
PATH_UNUSED | 0 | |
PATH_32 | 32 | |
PATH_64 | 64 |