File Fields
The file entity defines fields used to describe attributes of files observed in event logs. These fields capture details such as the file name, path, size, metadata, and properties that help analysts understand the role of a file in an event. For example, file_name records the file’s name, file_path indicates where it was located in the filesystem, and file_size captures its size in bytes.
Additional fields can describe file-specific characteristics such as whether it was executable, which company created it, or when it was compiled. Together, these fields provide a consistent way to represent file-related activity across different platforms and log sources.
| field | field_type | description | example_values |
|---|---|---|---|
|
file_company |
keyword |
Company name associated with a file taken from the file metadata. |
Microsoft |
|
file_compile_time |
date |
Compiled date/time that a binary file was compiled. |
|
|
file_contents |
keyword |
Contents of a file. |
|
|
file_description |
keyword |
Description of file. |
WMI |
|
file_is_executable |
boolean |
Flag indicating if file is executable. |
true, false |
|
file_is_signed |
boolean |
Flag indicating if file has been digitally signed. |
1 |
|
file_name |
keyword |
File name, not including path. |
file.zip, file.exe, file |
|
file_path |
keyword |
Full path and file name. |
C:\temp\file.exe |
|
file_product |
keyword |
Product name the file was shipped with. |
|
|
file_product_version |
keyword |
Product version the file was shipped with. |
|
|
file_signature_status |
keyword |
Status of file signature. |
valid |
|
file_signed_by |
keyword |
Title of file signer. |
Microsoft Windows |
|
file_size |
long |
File size in bytes. |
23894713 |
|
file_type |
keyword |
Description of file contents. |
gzip compressed data, application/pdf |
|
file_version |
keyword |
Version of file. |
10.0.14393.4169 (rs1_release.210107-1130) |
