GIM Category: file
The File category covers events related to file activity on a system, including creation, deletion, modification, access, and integrity monitoring. These events are typically generated by operating system auditing features, file integrity monitoring tools, or endpoint detection and response (EDR) products. They provide visibility into how files are created, altered, or removed, which is critical for detecting suspicious activity such as unauthorized changes, tampering, or malware execution.
create
Create events represent the creation of a new file on a system. These events typically include the file name, the process that created the file, and the user context under which the action occurred. File creation monitoring is critical for detecting suspicious activity, such as malware dropped to disk, unauthorized configuration changes, or staging of tools by an attacker.
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
200000 |
file |
file.create |
file created |
A new file was created on the system. |
delete
Delete events represent the removal of a file from a system. These events typically include the file name, the process responsible for the deletion, and the user context under which it occurred. File deletion monitoring is important for detecting attacker cleanup activity, data destruction, or ransomware behavior, as well as tracking normal administrative actions.
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
200100 |
file |
file.delete |
file deleted |
A file was deleted from the system. |
modify
Modify events represent changes made to an existing file. This can include editing file contents, altering metadata such as timestamps, or attaching additional data streams. Monitoring file modifications is important for detecting tampering, persistence mechanisms, or suspicious changes to system and application files.
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
201000 |
file |
file.modify |
file modified |
The contents of a file were modified. |
|
|
201001 |
file |
file.modify |
file timestamp modified |
A file's timestamp attributes (such as creation or last modified time) were changed. |
|
|
201002 |
file |
file.modify |
file stream created |
An alternate data stream (ADS) or equivalent was attached to a file. |
access
Access events represent attempts to open or read a file. This includes normal user or process access as well as raw device-level access that bypasses the file system. Monitoring file access is valuable for detecting unauthorized reads, discovery activity, or attempts to evade standard auditing.
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
201500 |
file |
file.access |
file accessed |
A process or user attempted to access a file. |
|
|
201501 |
file |
file.access |
raw file access |
A process attempted raw file access directly from a storage device, bypassing normal filesystem controls. |
integrity
Integrity events represent the monitoring or validation of a file's authenticity or consistency. This may include changes to a file's cryptographic hash, digital signature, or results reported by file integrity monitoring (FIM) tools. These events are important for detecting tampering, unauthorized modifications, or attempts to bypass system integrity protections.
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
202000 |
file |
file.integrity |
file signature invalid |
A file's digital signature or hash validation failed, indicating possible tampering. |
|
|
202001 |
file |
file.integrity |
file integrity notice |
A file integrity monitoring (FIM) system reported a general integrity event for a file. |
default
The default subcategory is used for file-related events that do not fit into a more specific subcategory (such as create, delete, modify, access, or integrity). This may include vendor-specific log messages or file events with incomplete context. The default ensures that all file activity can still be captured and represented within the model.
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
209999 |
file |
file.default |
file event |
A generic file activity event that does not match a more specific subcategory. |
