IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« Event Fields Geo Fields »
Elastic Docs Elastic Common Schema (ECS) Reference [1.1] ECS Field Reference

File Fields

edit

File Fields

edit

A file is defined as a set of information that has been created on, or has existed on a filesystem.

File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric.

File Field Details

edit
Field Description Level

file.accessed

Last time the file was accessed.

Note that not all filesystems keep track of access time.

type: date

extended

file.created

File creation time.

Note that not all filesystems store the creation time.

type: date

extended

file.ctime

Last time the file attributes or metadata changed.

Note that changes to the file content will update mtime. This implies ctime will be adjusted at the same time, since mtime is an attribute of the file.

type: date

extended

file.device

Device that is the source of the file.

type: keyword

example: sda

extended

file.directory

Directory where the file is located.

type: keyword

example: /home/alice

extended

file.extension

File extension.

type: keyword

example: png

extended

file.gid

Primary group ID (GID) of the file.

type: keyword

example: 1001

extended

file.group

Primary group name of the file.

type: keyword

example: alice

extended

file.inode

Inode representing the file in the filesystem.

type: keyword

example: 256383

extended

file.mode

Mode of the file in octal representation.

type: keyword

example: 0640

extended

file.mtime

Last time the file content was modified.

type: date

extended

file.name

Name of the file including the extension, without the directory.

type: keyword

example: example.png

extended

file.owner

File owner’s username.

type: keyword

example: alice

extended

file.path

Full path to the file.

type: keyword

example: /home/alice/example.png

extended

file.size

File size in bytes.

Only relevant when file.type is "file".

type: long

example: 16384

extended

file.target_path

Target path for symlinks.

type: keyword

extended

file.type

File type (file, dir, or symlink).

type: keyword

example: file

extended

file.uid

The user ID (UID) or security identifier (SID) of the file owner.

type: keyword

example: 1001

extended

Field Reuse

edit
Field sets that can be nested under File
edit
Nested fields Description

file.hash.*

Hashes, usually file hashes.
« Event Fields Geo Fields »