File

Description

This preset offers fields related to file create, write, read, delete, and rename.

Preset Fields

The
xdr_file
preset has the following fields:
Field Name
(Datatype)
Description
action_​file_​md5
(string)
None Available
action_​file_​name
(string)
File name of 'action_file_path'. This will be an empty string for directory operations.
action_​file_​path
(string)
None Available
action_​file_​previous_​file_​name
(string)
File name of 'action_file_previous_file_path'. This will be an empty string for directory operations.
action_​file_​previous_​file_​path
(string)
None Available
action_​file_​sha256
(string)
None Available
actor_​effective_​username
(string)
Name assigned to 'actor_effective_user_sid' Win: Including domain
actor_​process_​command_​line
(string)
None Available
actor_​process_​image_​md5
(string)
None Available
actor_​process_​image_​name
(string)
None Available
actor_​process_​image_​path
(string)
None Available
actor_​process_​image_​sha256
(string)
None Available
actor_​process_​os_​pid
(integer)
None Available
actor_​process_​signature_​status
(integer)
None Available
actor_​process_​signature_​vendor
(string)
None Available
agent_​hostname
(string)
Hostname of the agent
agent_​install_​type
(integer)
None Available
agent_​ip_​addresses
(string)
All IPv4 interface addresses
agent_​os_​type
(integer)
None Available
causality_​actor_​process_​command_​line
(string)
None Available
causality_​actor_​process_​image_​md5
(string)
None Available
causality_​actor_​process_​image_​name
(string)
None Available
causality_​actor_​process_​image_​path
(string)
None Available
causality_​actor_​process_​image_​sha256
(string)
None Available
causality_​actor_​process_​os_​pid
(integer)
None Available
causality_​actor_​process_​signature_​status
(integer)
None Available
causality_​actor_​process_​signature_​vendor
(string)
None Available
causality_​actor_​type
(integer)
None Available
mac
(string)
None Available
os_​actor_​process_​command_​line
(string)
None Available
os_​actor_​process_​image_​name
(string)
None Available
os_​actor_​process_​image_​path
(string)
None Available
os_​actor_​process_​os_​pid
(integer)
None Available
os_​actor_​process_​signature_​status
(integer)
None Available

Recommended For You