🌙
 

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

FileInfo Schema

file.proto

Command

Commmand holds a command and it's execution context

Field Type Label Description
args string repeated List of command arguments.
host_program FileInfo
program FileInfo
path_context PathContext

FileInfo

Field Type Label Description
resource_id string Full resource string identifying the record
tenant_id string The ID of the tenant that owns this specific to CTPX ID
visibility Visibility Constraints on visibility of the record
normalizer string Name & version of normalizer that created this record
sensor_type string Ex: redcloak,iSensor
sensor_event_id string Event ID of original_data assigned by the sensor
sensor_tenant string Ex: redloak-domain, ctp-client-id
sensor_id string Ex: redcloak-agent-id, iSensor Dev IP
sensor_cpe string CPE of the platform producing the alert. Ex: cpe:2.3:a:secureworks:redcloak::::::::
original_data string Original, unadulterated data prior to any transformation.
event_time_usec uint64 Event time in microseconds (µs)
ingest_time_usec uint64 Ingest time in microseconds (µs).
event_time_fidelity TimeFidelity Specifies the original precision of the time used to populate event_time_usec
host_id string Host ID -- uniquely identifies the host where the event originated. e.g. IPv(4/6) address; Device Mac Address
path string The full pathname of the file
type FileInfo.FileType The type of file. @see FileType
size uint64 File size in bytes
sha1_hash bytes Deprecated. Hash of the file contents. Deprecated, use file_hash.sha1 instead.
create_time_usec uint64 Time in microseconds (µs) at which the file was created
access_time_usec uint64 Time in microseconds (µs) at which the file was last accessed (opened)
mod_time_usec uint64 Time in microseconds (µs) at which the file was last modified
attributes string String representation of file attributes such as type, perms, et.al. based on the underlying filesystem
file_hash FileInfo.Hash A hash of the file contents
path_context PathContext Indicates whether the underlying Windows DLL path was redirected based on the OS bytesize (32bit vs. 64bit)
user_path bool Deprecated. TODO
basename string Just the filename without the leading directory path
native_path string For Windows, the native system directory used to access the DLL
acl string repeated Repeated to account for getfacl/setfacl output for POSIX if we want it in the future
version_info VersionInfo For Windows files, version info resides in the Resource section of executables
signature Signature Digital signature information for OSes supporting signed executables
os OperatingSystem operating system, architecture on which file encountered
st_ino uint64 File status related attributes. Interestingly enough they may also be collected on Windows, backed by POSIX subsystem.

Inode number | | st_mode | uint32 | | File type and mode | | st_nlink | uint32 | | Number of hard links | | st_uid | uint32 | | User ID of owner | | st_gid | uint32 | | Group ID of owner | | pivot | string | | Primary hunting pivot point of the data for grouping |

FileInfo.Hash

Specifies the MAC used to hash some data

Field Type Label Description
md5 string
sha1 string
sha256 string
sha512 string

Signature

Digital signature information for Windows executables

Field Type Label Description
valid bool
hash string
program_name string
publisher_link string
more_info_link string
serial_number string
issuer_name string
subject_name string

VersionInfo

For Windows files, version info resides in the Resource section and is optionally filled in

Field Type Label Description
file_description string
company_name string
product_name string
product_version string
file_version string
comments string
legal_copyright string
internal_name string
original_file_name string
language uint32
codepage uint32

FileInfo.FileType

Name Number Description
UNKNOWN 0 unused but required for proto3
REG 1 regular file
DIR 2 directory
LINK 3 symbolic link
WIN_FILE_TYPE_DISK 101 Inspector uses values from WinBase.h, which collide with above so we will convert The specified Windows file is a disk file
WIN_FILE_TYPE_CHAR 102 The specified Windows file is a character file, typically an LPT device or a console
WIN_FILE_TYPE_PIPE 103 The specified Windows file is a socket, a named pipe, or an anonymous pipe

PathContext

Windows path context refers to whether something is being redirected via WOW64: https://docs.microsoft.com/en-us/windows/desktop/winprog64/file-system-redirector{: target="_blank"}

Name Number Description
PATH_UNUSED 0
PATH_32 32
PATH_64 64

 

On this page: