FileInfo Schema
file.proto ⫘
Command ⫘
Commmand holds a command and it's execution context
| Field | Type | Label | Description |
|---|---|---|---|
| args | string | repeated | List of command arguments. |
| host_program | FileInfo | ||
| program | FileInfo | ||
| path_context | PathContext |
FileInfo ⫘
| Field | Type | Label | Description |
|---|---|---|---|
| resource_id | string | Full resource string identifying the record | |
| tenant_id | string | The ID of the tenant that owns this specific to CTPX ID | |
| visibility | Visibility | Constraints on visibility of the record | |
| normalizer | string | Name & version of normalizer that created this record | |
| sensor_type | string | Ex: redcloak | |
| sensor_event_id | string | Event ID of original_data assigned by the sensor | |
| sensor_tenant | string | Ex: redloak-domain, ctp-client-id | |
| sensor_id | string | Ex: redcloak-agent-id | |
| sensor_cpe | string | CPE of the platform producing the alert. Ex: cpe:2.3:a:secureworks:redcloak:::::::: | |
| original_data | string | Original, unadulterated data prior to any transformation. | |
| event_time_usec | uint64 | Event time in microseconds (µs) | |
| ingest_time_usec | uint64 | Ingest time in microseconds (µs). | |
| event_time_fidelity | TimeFidelity | Specifies the original precision of the time used to populate event_time_usec | |
| host_id | string | Host ID -- uniquely identifies the host where the event originated. e.g. IPv(4/6) address; Device Mac Address | |
| path | string | The full pathname of the file | |
| type | FileInfo.FileType | The type of file. @see FileType | |
| size | uint64 | File size in bytes | |
| sha1_hash | bytes | Deprecated. Hash of the file contents. Deprecated, use file_hash.sha1 instead. | |
| create_time_usec | uint64 | Time in microseconds (µs) at which the file was created | |
| access_time_usec | uint64 | Time in microseconds (µs) at which the file was last accessed (opened) | |
| mod_time_usec | uint64 | Time in microseconds (µs) at which the file was last modified | |
| attributes | string | String representation of file attributes such as type, perms, et.al. based on the underlying filesystem | |
| file_hash | FileInfo.Hash | A hash of the file contents | |
| path_context | PathContext | Indicates whether the underlying Windows DLL path was redirected based on the OS bytesize (32bit vs. 64bit) | |
| user_path | bool | Deprecated. TODO | |
| basename | string | Just the filename without the leading directory path | |
| native_path | string | For Windows, the native system directory used to access the DLL | |
| acl | string | repeated | Repeated to account for getfacl/setfacl output for POSIX if we want it in the future |
| version_info | VersionInfo | For Windows files, version info resides in the Resource section of executables | |
| signature | Signature | Digital signature information for OSes supporting signed executables | |
| os | OperatingSystem | operating system, architecture on which file encountered | |
| st_ino | uint64 | File status related attributes. Interestingly enough they may also be collected on Windows, backed by POSIX subsystem. |
Inode number | | st_mode | uint32 | | File type and mode | | st_nlink | uint32 | | Number of hard links | | st_uid | uint32 | | User ID of owner | | st_gid | uint32 | | Group ID of owner | | pivot | string | | Primary hunting pivot point of the data for grouping |
FileInfo.Hash ⫘
Specifies the MAC used to hash some data
| Field | Type | Label | Description |
|---|---|---|---|
| md5 | string | ||
| sha1 | string | ||
| sha256 | string | ||
| sha512 | string |
Signature ⫘
Digital signature information for Windows executables
| Field | Type | Label | Description |
|---|---|---|---|
| valid | bool | ||
| hash | string | ||
| program_name | string | ||
| publisher_link | string | ||
| more_info_link | string | ||
| serial_number | string | ||
| issuer_name | string | ||
| subject_name | string |
VersionInfo ⫘
For Windows files, version info resides in the Resource section and is optionally filled in
| Field | Type | Label | Description |
|---|---|---|---|
| file_description | string | ||
| company_name | string | ||
| product_name | string | ||
| product_version | string | ||
| file_version | string | ||
| comments | string | ||
| legal_copyright | string | ||
| internal_name | string | ||
| original_file_name | string | ||
| language | uint32 | ||
| codepage | uint32 |
FileInfo.FileType ⫘
| Name | Number | Description |
|---|---|---|
| UNKNOWN | 0 | unused but required for proto3 |
| REG | 1 | regular file |
| DIR | 2 | directory |
| LINK | 3 | symbolic link |
| WIN_FILE_TYPE_DISK | 101 | Inspector uses values from WinBase.h, which collide with above so we will convert The specified Windows file is a disk file |
| WIN_FILE_TYPE_CHAR | 102 | The specified Windows file is a character file, typically an LPT device or a console |
| WIN_FILE_TYPE_PIPE | 103 | The specified Windows file is a socket, a named pipe, or an anonymous pipe |
PathContext ⫘
Windows path context refers to whether something is being redirected via WOW64: https://docs.microsoft.com/en-us/windows/desktop/winprog64/file-system-redirector{: target="_blank"}
| Name | Number | Description |
|---|---|---|
| PATH_UNUSED | 0 | |
| PATH_32 | 32 | |
| PATH_64 | 64 |