| company |
The name of the organization listed in the file located at image_path. |
|
| content |
The contents of the file. |
Hello World |
| creation_time |
The creation time of the file as described in UTC and including the date. |
05/14/2015 12:47:06 |
| extension |
The file extension of the file. |
docx |
| file_name |
The name of the file. |
MyWordDoc.docx |
| file_path |
The full path to the file on the file system. |
C:\users\fakeuser\documents\MyFile.docx |
| gid |
The group ID of the file |
801 |
| group |
The group owner of the file |
admin |
| owner_uid |
The user ID or SID of the owner of the file. |
501 |
| owner |
The username of the owner of the file. |
adam |
| fqdn |
The fully qualified domain name of the host. Contains the hostname appended with the domain. |
HOST1.EXAMPLE_DOMAIN.COM |
| hostname |
The hostname of the host, without the domain. |
HOST1 |
| image_path |
The file system location of the executable that is associated with the pid that generated this event. |
C:\Windows\system32\notepad.exe |
| link_target |
The target path of a symbolic link. |
C:\my_special_file.exe |
| md5_hash |
An MD5 hash of the contents of the file located at image_path. The field is in hex notation, without the 0x prefix. |
5eb63bbbe01eeed093cb22bb8f5acdc3 |
| mime_type |
The MIME type of the file. |
PE |
| mode |
The mode or permissions set of the file. |
0644 (linux) or NTFS ACL |
| pid |
The process ID for the process that generated this file event, represented in decimal notation. |
738 |
| ppid |
The process ID of the parent process of the process associated with this file event, represented in decimal notation. |
1860 |
| previous_creation_time |
The creation_time associated with the file before it was changed for this file event. |
05/14/2015 12:47:06 |
| sha1_hash |
The SHA1 hash of the contents of the file located at image_path. |
2aae6c35c94fcfb415dbe95f408b9ce91ee846ed |
| sha256_hash |
The SHA256 hash of the contents of the file located at image_path. |
68e656b251e67e8358bef8483ab0d51c6619f3e7a1a9f0e75838d41ff368f728 |
| signer |
The company listed on the certificate of the program at image_path if that program is signed. |
Microsoft Corporation |
| signature_valid |
Boolean indicator of whether the signature is valid; empty if file is not signed. |
True |
| user |
The user context in which the thread that caused this event was running. May be a local, domain or SYSTEM user. Formatted as “<DOMAIN>\<USER>”. Because threads are allowed to impersonate users, this may be different than the user context of the process. |
HOST1\LOCALUSER |
| uid |
The user ID or SID for the acting entity. |
S-1-5-18 |
