company |
The name of the organization listed in the file located at image_path . |
|
content |
The contents of the file. |
Hello World |
creation_time |
The creation time of the file as described in UTC and including the date. |
05/14/2015 12:47:06 |
extension |
The file extension of the file. |
docx |
file_name |
The name of the file. |
MyWordDoc.docx |
file_path |
The full path to the file on the file system. |
C:\users\fakeuser\documents\MyFile.docx |
gid |
The group ID of the file |
801 |
group |
The group owner of the file |
admin |
owner_uid |
The user ID or SID of the owner of the file. |
501 |
owner |
The username of the owner of the file. |
adam |
fqdn |
The fully qualified domain name of the host. Contains the hostname appended with the domain. |
HOST1.EXAMPLE_DOMAIN.COM |
hostname |
The hostname of the host, without the domain. |
HOST1 |
image_path |
The file system location of the executable that is associated with the pid that generated this event. |
C:\Windows\system32\notepad.exe |
link_target |
The target path of a symbolic link. |
C:\my_special_file.exe |
md5_hash |
An MD5 hash of the contents of the file located at image_path . The field is in hex notation, without the 0x prefix. |
5eb63bbbe01eeed093cb22bb8f5acdc3 |
mime_type |
The MIME type of the file. |
PE |
mode |
The mode or permissions set of the file. |
0644 (linux) or NTFS ACL |
pid |
The process ID for the process that generated this file event, represented in decimal notation. |
738 |
ppid |
The process ID of the parent process of the process associated with this file event, represented in decimal notation. |
1860 |
previous_creation_time |
The creation_time associated with the file before it was changed for this file event. |
05/14/2015 12:47:06 |
sha1_hash |
The SHA1 hash of the contents of the file located at image_path . |
2aae6c35c94fcfb415dbe95f408b9ce91ee846ed |
sha256_hash |
The SHA256 hash of the contents of the file located at image_path . |
68e656b251e67e8358bef8483ab0d51c6619f3e7a1a9f0e75838d41ff368f728 |
signer |
The company listed on the certificate of the program at image_path if that program is signed. |
Microsoft Corporation |
signature_valid |
Boolean indicator of whether the signature is valid; empty if file is not signed. |
True |
user |
The user context in which the thread that caused this event was running. May be a local, domain or SYSTEM user. Formatted as “<DOMAIN>\<USER>”. Because threads are allowed to impersonate users, this may be different than the user context of the process. |
HOST1\LOCALUSER |
uid |
The user ID or SID for the acting entity. |
S-1-5-18 |