From 968e8c2b27dcd1a8c36a1a0c383df9b8fc4674d6 Mon Sep 17 00:00:00 2001 From: Asuka Nakajima Date: Tue, 24 Sep 2024 12:33:41 +0000 Subject: [PATCH 01/12] add modified registry.yaml and generated files --- docs/attributes-registry/file.md | 57 ++++++++++++++++++++------------ model/file/registry.yaml | 16 +++++++++ 2 files changed, 51 insertions(+), 22 deletions(-) diff --git a/docs/attributes-registry/file.md b/docs/attributes-registry/file.md index b8cfc67b22..f2810ccbdd 100644 --- a/docs/attributes-registry/file.md +++ b/docs/attributes-registry/file.md @@ -1,3 +1,7 @@ + + + + @@ -5,31 +9,33 @@ # File - ## File Attributes Describes file attributes. -| Attribute | Type | Description | Examples | Stability | -| -------------------------------- | -------- | ----------------------------------------------------------------------------------------------------- | ------------------------------------------------------------- | ---------------------------------------------------------------- | -| `file.accessed` | string | Time when the file was last accessed, in ISO 8601 format. [1] | `2021-01-01T12:00:00Z` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `file.attributes` | string[] | Array of file attributes. [2] | `["readonly", "hidden"]` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `file.changed` | string | Time when the file attributes or metadata was last changed, in ISO 8601 format. [3] | `2021-01-01T12:00:00Z` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `file.created` | string | Time when the file was created, in ISO 8601 format. [4] | `2021-01-01T12:00:00Z` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `file.directory` | string | Directory where the file is located. It should include the drive letter, when appropriate. | `/home/user`; `C:\Program Files\MyApp` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `file.extension` | string | File extension, excluding the leading dot. [5] | `png`; `gz` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `file.fork_name` | string | Name of the fork. A fork is additional data associated with a filesystem object. [6] | `Zone.Identifer` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `file.group.id` | string | Primary Group ID (GID) of the file. | `1000` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `file.group.name` | string | Primary group name of the file. | `users` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `file.inode` | string | Inode representing the file in the filesystem. | `256383` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `file.mode` | string | Mode of the file in octal representation. | `0640` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `file.modified` | string | Time when the file content was last modified, in ISO 8601 format. | `2021-01-01T12:00:00Z` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `file.name` | string | Name of the file including the extension, without the directory. | `example.png` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `file.owner.id` | string | The user ID (UID) or security identifier (SID) of the file owner. | `1000` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `file.owner.name` | string | Username of the file owner. | `root` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `file.path` | string | Full path to the file, including the file name. It should include the drive letter, when appropriate. | `/home/alice/example.png`; `C:\Program Files\MyApp\myapp.exe` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `file.size` | int | File size in bytes. | | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `file.symbolic_link.target_path` | string | Path to the target of a symbolic link. [7] | `/usr/bin/python3` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| Attribute | Type | Description | Examples | Stability | +|---|---|---|---|---| +| `file.accessed` | string | Time when the file was last accessed, in ISO 8601 format. [1] | `2021-01-01T12:00:00Z` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `file.attributes` | string[] | Array of file attributes. [2] | `["readonly", "hidden"]` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `file.changed` | string | Time when the file attributes or metadata was last changed, in ISO 8601 format. [3] | `2021-01-01T12:00:00Z` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `file.created` | string | Time when the file was created, in ISO 8601 format. [4] | `2021-01-01T12:00:00Z` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `file.directory` | string | Directory where the file is located. It should include the drive letter, when appropriate. | `/home/user`; `C:\Program Files\MyApp` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `file.extension` | string | File extension, excluding the leading dot. [5] | `png`; `gz` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `file.fork_name` | string | Name of the fork. A fork is additional data associated with a filesystem object. [6] | `Zone.Identifer` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `file.group.id` | string | Primary Group ID (GID) of the file. | `1000` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `file.group.name` | string | Primary group name of the file. | `users` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `file.inode` | string | Inode representing the file in the filesystem. | `256383` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `file.mode` | string | Mode of the file in octal representation. | `0640` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `file.modified` | string | Time when the file content was last modified, in ISO 8601 format. | `2021-01-01T12:00:00Z` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `file.name` | string | Name of the file including the extension, without the directory. | `example.png` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `file.origin_referrer_url` | string | The URL of the webpage that linked to the file. [7] | `https://example.com` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `file.origin_url` | string | The URL where the file is hosted. [8] | `https://example.com/file.zip` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `file.owner.id` | string | The user ID (UID) or security identifier (SID) of the file owner. | `1000` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `file.owner.name` | string | Username of the file owner. | `root` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `file.path` | string | Full path to the file, including the file name. It should include the drive letter, when appropriate. | `/home/alice/example.png`; `C:\Program Files\MyApp\myapp.exe` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `file.size` | int | File size in bytes. | | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `file.symbolic_link.target_path` | string | Path to the target of a symbolic link. [9] | `/usr/bin/python3` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | + **[1]:** This attribute might not be supported by some file systems — NFS, FAT32, in embedded OS, etc. @@ -44,4 +50,11 @@ Describes file attributes. **[6]:** On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist. On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: C:\path\to\filename.extension:some_fork_name, and some_fork_name is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name. -**[7]:** This attribute is only applicable to symbolic links. +**[7]:** This information is inteded to be retrieved from the Mark of the Web (NTFS Zone.Identifer ADS Stream) Note that the URL might contain sensitive information. + +**[8]:** This information is inteded to be retrieved from the Mark of the Web (NTFS Zone.Identifer ADS Stream) Note that the URL might contain sensitive information. + +**[9]:** This attribute is only applicable to symbolic links. + + + diff --git a/model/file/registry.yaml b/model/file/registry.yaml index 49049cdd6c..fecf314b2c 100644 --- a/model/file/registry.yaml +++ b/model/file/registry.yaml @@ -111,6 +111,22 @@ groups: The user ID (UID) or security identifier (SID) of the file owner. stability: experimental examples: ["1000"] + - id: file.origin_referrer_url + type: string + brief: > + The URL of the webpage that linked to the file. + note: > + This information is inteded to be retrieved from the Mark of the Web (NTFS Zone.Identifer ADS Stream) Note that the URL might contain sensitive information. + stability: experimental + examples: ['https://example.com'] + - id: file.origin_url + type: string + brief: > + The URL where the file is hosted. + note: > + This information is inteded to be retrieved from the Mark of the Web (NTFS Zone.Identifer ADS Stream) Note that the URL might contain sensitive information. + stability: experimental + examples: ['https://example.com/file.zip'] - id: file.owner.name type: string brief: > From ec834e6f05b8bbc27a39bc8376f4702ff3fabe23 Mon Sep 17 00:00:00 2001 From: Asuka Nakajima Date: Wed, 25 Sep 2024 08:06:20 +0000 Subject: [PATCH 02/12] add changelog --- .chloggen/file_originevents.yaml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 .chloggen/file_originevents.yaml diff --git a/.chloggen/file_originevents.yaml b/.chloggen/file_originevents.yaml new file mode 100644 index 0000000000..5223b56eb2 --- /dev/null +++ b/.chloggen/file_originevents.yaml @@ -0,0 +1,22 @@ +# Use this changelog template to create an entry for release notes. +# +# If your change doesn't affect end users you should instead start +# your pull request title with [chore] or use the "Skip Changelog" label. + +# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix' +change_type: enhancement + +# The name of the area of concern in the attributes-registry, (e.g. http, cloud, db) +component: file + +# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`). +note: add file.origin_referrer_url and file.origin_url + +# Mandatory: One or more tracking issues related to the change. You can use the PR number here if no issue exists. +# The values here must be integers. +issues: [1430] + +# (Optional) One or more lines of additional information to render under the primary note. +# These lines will be padded with 2 spaces and then inserted directly into the document. +# Use pipe (|) for multiline entries. +subtext: From 160b7ee57d8b17d05604ffa7c28b0febb32f3d98 Mon Sep 17 00:00:00 2001 From: Asuka Nakajima Date: Fri, 27 Sep 2024 08:03:38 +0000 Subject: [PATCH 03/12] reflect the feedback --- docs/attributes-registry/file.md | 8 ++++---- model/file/registry.yaml | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/docs/attributes-registry/file.md b/docs/attributes-registry/file.md index f2810ccbdd..28e2bc967c 100644 --- a/docs/attributes-registry/file.md +++ b/docs/attributes-registry/file.md @@ -28,8 +28,8 @@ Describes file attributes. | `file.mode` | string | Mode of the file in octal representation. | `0640` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | | `file.modified` | string | Time when the file content was last modified, in ISO 8601 format. | `2021-01-01T12:00:00Z` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | | `file.name` | string | Name of the file including the extension, without the directory. | `example.png` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `file.origin_referrer_url` | string | The URL of the webpage that linked to the file. [7] | `https://example.com` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `file.origin_url` | string | The URL where the file is hosted. [8] | `https://example.com/file.zip` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `file.origin_referrer_url` | string | The URL of the webpage that linked to the file. [7] | `http://example.com/article1.html` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `file.origin_url` | string | The URL where the file is hosted. [8] | `http://example.com/imgs/article1_img1.jpg` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | | `file.owner.id` | string | The user ID (UID) or security identifier (SID) of the file owner. | `1000` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | | `file.owner.name` | string | Username of the file owner. | `root` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | | `file.path` | string | Full path to the file, including the file name. It should include the drive letter, when appropriate. | `/home/alice/example.png`; `C:\Program Files\MyApp\myapp.exe` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | @@ -50,9 +50,9 @@ Describes file attributes. **[6]:** On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist. On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: C:\path\to\filename.extension:some_fork_name, and some_fork_name is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name. -**[7]:** This information is inteded to be retrieved from the Mark of the Web (NTFS Zone.Identifer ADS Stream) Note that the URL might contain sensitive information. +**[7]:** This information comes from metadata or alternate data streams linked to the file. `file.origin_url` represents the URL from which the file was downloaded, and `file.origin_referrer_url` indicates the URL of the page where that URL was listed. There may be cases where both `file.origin_url` and `file.origin_referrer_url` exist, or only one of them is present. -**[8]:** This information is inteded to be retrieved from the Mark of the Web (NTFS Zone.Identifer ADS Stream) Note that the URL might contain sensitive information. +**[8]:** This information comes from metadata or alternate data streams linked to the file. `file.origin_url` represents the URL from which the file was downloaded, and `file.origin_referrer_url` indicates the URL of the page where that URL was listed. There may be cases where both `file.origin_url` and `file.origin_referrer_url` exist, or only one of them is present. **[9]:** This attribute is only applicable to symbolic links. diff --git a/model/file/registry.yaml b/model/file/registry.yaml index fecf314b2c..6eba5cfe77 100644 --- a/model/file/registry.yaml +++ b/model/file/registry.yaml @@ -116,17 +116,17 @@ groups: brief: > The URL of the webpage that linked to the file. note: > - This information is inteded to be retrieved from the Mark of the Web (NTFS Zone.Identifer ADS Stream) Note that the URL might contain sensitive information. + This information comes from metadata or alternate data streams linked to the file. `file.origin_url` represents the URL from which the file was downloaded, and `file.origin_referrer_url` indicates the URL of the page where that URL was listed. There may be cases where both `file.origin_url` and `file.origin_referrer_url` exist, or only one of them is present. stability: experimental - examples: ['https://example.com'] + examples: ['http://example.com/article1.html'] - id: file.origin_url type: string brief: > The URL where the file is hosted. note: > - This information is inteded to be retrieved from the Mark of the Web (NTFS Zone.Identifer ADS Stream) Note that the URL might contain sensitive information. + This information comes from metadata or alternate data streams linked to the file. `file.origin_url` represents the URL from which the file was downloaded, and `file.origin_referrer_url` indicates the URL of the page where that URL was listed. There may be cases where both `file.origin_url` and `file.origin_referrer_url` exist, or only one of them is present. stability: experimental - examples: ['https://example.com/file.zip'] + examples: ['http://example.com/imgs/article1_img1.jpg'] - id: file.owner.name type: string brief: > From 37c9710f956bf263b920c09db7adb515545914f3 Mon Sep 17 00:00:00 2001 From: Asuka Nakajima Date: Fri, 27 Sep 2024 08:12:01 +0000 Subject: [PATCH 04/12] reflect the feedback --- docs/attributes-registry/file.md | 4 ++-- model/file/registry.yaml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/attributes-registry/file.md b/docs/attributes-registry/file.md index 28e2bc967c..6b32f9e8fe 100644 --- a/docs/attributes-registry/file.md +++ b/docs/attributes-registry/file.md @@ -50,9 +50,9 @@ Describes file attributes. **[6]:** On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist. On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: C:\path\to\filename.extension:some_fork_name, and some_fork_name is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name. -**[7]:** This information comes from metadata or alternate data streams linked to the file. `file.origin_url` represents the URL from which the file was downloaded, and `file.origin_referrer_url` indicates the URL of the page where that URL was listed. There may be cases where both `file.origin_url` and `file.origin_referrer_url` exist, or only one of them is present. +**[7]:** This information comes from metadata or alternate data streams linked to the file. `file.origin_url` represents the URL from which the file was downloaded, and `file.origin_referrer_url` indicates the URL of the page where that URL was listed. There may be cases where both `file.origin_url` and `file.origin_referrer_url` exist, or only one of them is present. Note that the URL itself may contain sensitive information. -**[8]:** This information comes from metadata or alternate data streams linked to the file. `file.origin_url` represents the URL from which the file was downloaded, and `file.origin_referrer_url` indicates the URL of the page where that URL was listed. There may be cases where both `file.origin_url` and `file.origin_referrer_url` exist, or only one of them is present. +**[8]:** This information comes from metadata or alternate data streams linked to the file. `file.origin_url` represents the URL from which the file was downloaded, and `file.origin_referrer_url` indicates the URL of the page where that URL was listed. There may be cases where both `file.origin_url` and `file.origin_referrer_url` exist, or only one of them is present. Note that the URL itself may contain sensitive information. **[9]:** This attribute is only applicable to symbolic links. diff --git a/model/file/registry.yaml b/model/file/registry.yaml index 6eba5cfe77..4a917dab55 100644 --- a/model/file/registry.yaml +++ b/model/file/registry.yaml @@ -116,7 +116,7 @@ groups: brief: > The URL of the webpage that linked to the file. note: > - This information comes from metadata or alternate data streams linked to the file. `file.origin_url` represents the URL from which the file was downloaded, and `file.origin_referrer_url` indicates the URL of the page where that URL was listed. There may be cases where both `file.origin_url` and `file.origin_referrer_url` exist, or only one of them is present. + This information comes from metadata or alternate data streams linked to the file. `file.origin_url` represents the URL from which the file was downloaded, and `file.origin_referrer_url` indicates the URL of the page where that URL was listed. There may be cases where both `file.origin_url` and `file.origin_referrer_url` exist, or only one of them is present. Note that the URL itself may contain sensitive information. stability: experimental examples: ['http://example.com/article1.html'] - id: file.origin_url @@ -124,7 +124,7 @@ groups: brief: > The URL where the file is hosted. note: > - This information comes from metadata or alternate data streams linked to the file. `file.origin_url` represents the URL from which the file was downloaded, and `file.origin_referrer_url` indicates the URL of the page where that URL was listed. There may be cases where both `file.origin_url` and `file.origin_referrer_url` exist, or only one of them is present. + This information comes from metadata or alternate data streams linked to the file. `file.origin_url` represents the URL from which the file was downloaded, and `file.origin_referrer_url` indicates the URL of the page where that URL was listed. There may be cases where both `file.origin_url` and `file.origin_referrer_url` exist, or only one of them is present. Note that the URL itself may contain sensitive information. stability: experimental examples: ['http://example.com/imgs/article1_img1.jpg'] - id: file.owner.name From 4a2fed9910cde10b2a34e5a36bbac23296c6df70 Mon Sep 17 00:00:00 2001 From: Asuka Nakajima Date: Fri, 27 Sep 2024 11:19:04 +0000 Subject: [PATCH 05/12] format fix --- docs/attributes-registry/file.md | 53 ++++++++++++++------------------ model/file/registry.yaml | 20 ++++++++---- 2 files changed, 37 insertions(+), 36 deletions(-) diff --git a/docs/attributes-registry/file.md b/docs/attributes-registry/file.md index 6b32f9e8fe..b0b4a19b65 100644 --- a/docs/attributes-registry/file.md +++ b/docs/attributes-registry/file.md @@ -1,7 +1,3 @@ - - - - @@ -9,33 +5,33 @@ # File + ## File Attributes Describes file attributes. -| Attribute | Type | Description | Examples | Stability | -|---|---|---|---|---| -| `file.accessed` | string | Time when the file was last accessed, in ISO 8601 format. [1] | `2021-01-01T12:00:00Z` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `file.attributes` | string[] | Array of file attributes. [2] | `["readonly", "hidden"]` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `file.changed` | string | Time when the file attributes or metadata was last changed, in ISO 8601 format. [3] | `2021-01-01T12:00:00Z` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `file.created` | string | Time when the file was created, in ISO 8601 format. [4] | `2021-01-01T12:00:00Z` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `file.directory` | string | Directory where the file is located. It should include the drive letter, when appropriate. | `/home/user`; `C:\Program Files\MyApp` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `file.extension` | string | File extension, excluding the leading dot. [5] | `png`; `gz` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `file.fork_name` | string | Name of the fork. A fork is additional data associated with a filesystem object. [6] | `Zone.Identifer` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `file.group.id` | string | Primary Group ID (GID) of the file. | `1000` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `file.group.name` | string | Primary group name of the file. | `users` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `file.inode` | string | Inode representing the file in the filesystem. | `256383` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `file.mode` | string | Mode of the file in octal representation. | `0640` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `file.modified` | string | Time when the file content was last modified, in ISO 8601 format. | `2021-01-01T12:00:00Z` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `file.name` | string | Name of the file including the extension, without the directory. | `example.png` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `file.origin_referrer_url` | string | The URL of the webpage that linked to the file. [7] | `http://example.com/article1.html` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `file.origin_url` | string | The URL where the file is hosted. [8] | `http://example.com/imgs/article1_img1.jpg` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `file.owner.id` | string | The user ID (UID) or security identifier (SID) of the file owner. | `1000` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `file.owner.name` | string | Username of the file owner. | `root` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `file.path` | string | Full path to the file, including the file name. It should include the drive letter, when appropriate. | `/home/alice/example.png`; `C:\Program Files\MyApp\myapp.exe` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `file.size` | int | File size in bytes. | | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `file.symbolic_link.target_path` | string | Path to the target of a symbolic link. [9] | `/usr/bin/python3` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | - +| Attribute | Type | Description | Examples | Stability | +| -------------------------------- | -------- | ----------------------------------------------------------------------------------------------------- | ------------------------------------------------------------- | ---------------------------------------------------------------- | +| `file.accessed` | string | Time when the file was last accessed, in ISO 8601 format. [1] | `2021-01-01T12:00:00Z` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `file.attributes` | string[] | Array of file attributes. [2] | `["readonly", "hidden"]` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `file.changed` | string | Time when the file attributes or metadata was last changed, in ISO 8601 format. [3] | `2021-01-01T12:00:00Z` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `file.created` | string | Time when the file was created, in ISO 8601 format. [4] | `2021-01-01T12:00:00Z` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `file.directory` | string | Directory where the file is located. It should include the drive letter, when appropriate. | `/home/user`; `C:\Program Files\MyApp` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `file.extension` | string | File extension, excluding the leading dot. [5] | `png`; `gz` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `file.fork_name` | string | Name of the fork. A fork is additional data associated with a filesystem object. [6] | `Zone.Identifer` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `file.group.id` | string | Primary Group ID (GID) of the file. | `1000` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `file.group.name` | string | Primary group name of the file. | `users` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `file.inode` | string | Inode representing the file in the filesystem. | `256383` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `file.mode` | string | Mode of the file in octal representation. | `0640` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `file.modified` | string | Time when the file content was last modified, in ISO 8601 format. | `2021-01-01T12:00:00Z` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `file.name` | string | Name of the file including the extension, without the directory. | `example.png` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `file.origin_referrer_url` | string | The URL of the webpage that linked to the file. [7] | `http://example.com/article1.html` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `file.origin_url` | string | The URL where the file is hosted. [8] | `http://example.com/imgs/article1_img1.jpg` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `file.owner.id` | string | The user ID (UID) or security identifier (SID) of the file owner. | `1000` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `file.owner.name` | string | Username of the file owner. | `root` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `file.path` | string | Full path to the file, including the file name. It should include the drive letter, when appropriate. | `/home/alice/example.png`; `C:\Program Files\MyApp\myapp.exe` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `file.size` | int | File size in bytes. | | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `file.symbolic_link.target_path` | string | Path to the target of a symbolic link. [9] | `/usr/bin/python3` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | **[1]:** This attribute might not be supported by some file systems — NFS, FAT32, in embedded OS, etc. @@ -55,6 +51,3 @@ On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default da **[8]:** This information comes from metadata or alternate data streams linked to the file. `file.origin_url` represents the URL from which the file was downloaded, and `file.origin_referrer_url` indicates the URL of the page where that URL was listed. There may be cases where both `file.origin_url` and `file.origin_referrer_url` exist, or only one of them is present. Note that the URL itself may contain sensitive information. **[9]:** This attribute is only applicable to symbolic links. - - - diff --git a/model/file/registry.yaml b/model/file/registry.yaml index 4a917dab55..be9154f6c4 100644 --- a/model/file/registry.yaml +++ b/model/file/registry.yaml @@ -115,18 +115,26 @@ groups: type: string brief: > The URL of the webpage that linked to the file. - note: > - This information comes from metadata or alternate data streams linked to the file. `file.origin_url` represents the URL from which the file was downloaded, and `file.origin_referrer_url` indicates the URL of the page where that URL was listed. There may be cases where both `file.origin_url` and `file.origin_referrer_url` exist, or only one of them is present. Note that the URL itself may contain sensitive information. + note: > + This information comes from metadata or alternate data streams linked to the file. + `file.origin_url` represents the URL from which the file was downloaded, and `file.origin_referrer_url` + indicates the URL of the page where that URL was listed. There may be cases where both `file.origin_url` + and `file.origin_referrer_url` exist, or only one of them is present. Note that the URL itself may contain + sensitive information. stability: experimental - examples: ['http://example.com/article1.html'] + examples: ['http://example.com/article1.html'] - id: file.origin_url type: string brief: > The URL where the file is hosted. - note: > - This information comes from metadata or alternate data streams linked to the file. `file.origin_url` represents the URL from which the file was downloaded, and `file.origin_referrer_url` indicates the URL of the page where that URL was listed. There may be cases where both `file.origin_url` and `file.origin_referrer_url` exist, or only one of them is present. Note that the URL itself may contain sensitive information. + note: > + This information comes from metadata or alternate data streams linked to the file. + `file.origin_url` represents the URL from which the file was downloaded, and `file.origin_referrer_url` + indicates the URL of the page where that URL was listed. There may be cases where both `file.origin_url` + and `file.origin_referrer_url` exist, or only one of them is present. Note that the URL itself may contain + sensitive information. stability: experimental - examples: ['http://example.com/imgs/article1_img1.jpg'] + examples: ['http://example.com/imgs/article1_img1.jpg'] - id: file.owner.name type: string brief: > From e8256e6c0943182110e234a12da0a8bbe97e50ce Mon Sep 17 00:00:00 2001 From: Asuka Nakajima Date: Thu, 10 Oct 2024 08:18:40 +0000 Subject: [PATCH 06/12] add file.zone_identifier --- .chloggen/file_originevents.yaml | 2 +- docs/attributes-registry/file.md | 1 + model/file/registry.yaml | 6 ++++++ 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/.chloggen/file_originevents.yaml b/.chloggen/file_originevents.yaml index 5223b56eb2..2bd096ef4d 100644 --- a/.chloggen/file_originevents.yaml +++ b/.chloggen/file_originevents.yaml @@ -10,7 +10,7 @@ change_type: enhancement component: file # A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`). -note: add file.origin_referrer_url and file.origin_url +note: add file.origin_referrer_url, file.origin_url, and file.zone_identifier # Mandatory: One or more tracking issues related to the change. You can use the PR number here if no issue exists. # The values here must be integers. diff --git a/docs/attributes-registry/file.md b/docs/attributes-registry/file.md index b0b4a19b65..00f3501686 100644 --- a/docs/attributes-registry/file.md +++ b/docs/attributes-registry/file.md @@ -32,6 +32,7 @@ Describes file attributes. | `file.path` | string | Full path to the file, including the file name. It should include the drive letter, when appropriate. | `/home/alice/example.png`; `C:\Program Files\MyApp\myapp.exe` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | | `file.size` | int | File size in bytes. | | ![Experimental](https://img.shields.io/badge/-experimental-blue) | | `file.symbolic_link.target_path` | string | Path to the target of a symbolic link. [9] | `/usr/bin/python3` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `file.zone_identifier` | int | Windows Zone Identifier for a file. | `3` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | **[1]:** This attribute might not be supported by some file systems — NFS, FAT32, in embedded OS, etc. diff --git a/model/file/registry.yaml b/model/file/registry.yaml index be9154f6c4..a9f30902ee 100644 --- a/model/file/registry.yaml +++ b/model/file/registry.yaml @@ -160,3 +160,9 @@ groups: This attribute is only applicable to symbolic links. stability: experimental examples: ['/usr/bin/python3'] + - id: file.zone_identifier + type: int + brief: > + Windows Zone Identifier for a file. + stability: experimental + examples: 3 From d82f261562c6e4046abb03d5d2a15952ee637d50 Mon Sep 17 00:00:00 2001 From: Asuka Nakajima Date: Wed, 30 Oct 2024 05:29:08 +0000 Subject: [PATCH 07/12] add note of zoneID --- docs/attributes-registry/file.md | 4 +++- model/file/registry.yaml | 11 ++++++++++- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/docs/attributes-registry/file.md b/docs/attributes-registry/file.md index 05cdee677c..74bdb67232 100644 --- a/docs/attributes-registry/file.md +++ b/docs/attributes-registry/file.md @@ -32,7 +32,7 @@ Describes file attributes. | `file.path` | string | Full path to the file, including the file name. It should include the drive letter, when appropriate. | `/home/alice/example.png`; `C:\Program Files\MyApp\myapp.exe` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | | `file.size` | int | File size in bytes. | | ![Experimental](https://img.shields.io/badge/-experimental-blue) | | `file.symbolic_link.target_path` | string | Path to the target of a symbolic link. [9] | `/usr/bin/python3` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `file.zone_identifier` | int | Windows Zone Identifier for a file. | `3` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `file.zone_identifier` | int | Windows Zone Identifier for the file. [10] | `3` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | **[1]:** This attribute might not be supported by some file systems — NFS, FAT32, in embedded OS, etc. @@ -52,3 +52,5 @@ On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default da **[8]:** This information comes from metadata or alternate data streams linked to the file. `file.origin_url` represents the URL from which the file was downloaded, and `file.origin_referrer_url` indicates the URL of the page where that URL was listed. There may be cases where both `file.origin_url` and `file.origin_referrer_url` exist, or only one of them is present. Note that the URL itself may contain sensitive information. **[9]:** This attribute is only applicable to symbolic links. + +**[10]:** Zone Identifier (ZoneID) is a numerical identifier that shows where (what "Zone") a file came from, helping to decide if it's safe to open. The commonly used predefined Zones in Windows and their IDs are as follows: Zone 0: Local Machine Zone Zone 1: Local Intranet Zone Zone 2: Trusted Sites Zone Zone 3: Intranet Zone Zone 4: Restricted Site Zone diff --git a/model/file/registry.yaml b/model/file/registry.yaml index 5416758feb..1168214875 100644 --- a/model/file/registry.yaml +++ b/model/file/registry.yaml @@ -164,6 +164,15 @@ groups: - id: file.zone_identifier type: int brief: > - Windows Zone Identifier for a file. + Windows Zone Identifier for the file. + note: > + Zone Identifier (ZoneID) is a numerical identifier that shows where + (what "Zone") a file came from, helping to decide if it's safe to open. + The commonly used predefined Zones in Windows and their IDs are as follows: + Zone 0: Local Machine Zone + Zone 1: Local Intranet Zone + Zone 2: Trusted Sites Zone + Zone 3: Intranet Zone + Zone 4: Restricted Site Zone stability: experimental examples: 3 From ed796cc1def7672425d177491380c4863ebf3318 Mon Sep 17 00:00:00 2001 From: Asuka Nakajima Date: Thu, 31 Oct 2024 14:10:57 +0000 Subject: [PATCH 08/12] fixed the typo --- docs/attributes-registry/file.md | 2 +- model/file/registry.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/attributes-registry/file.md b/docs/attributes-registry/file.md index 74bdb67232..afcee18317 100644 --- a/docs/attributes-registry/file.md +++ b/docs/attributes-registry/file.md @@ -53,4 +53,4 @@ On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default da **[9]:** This attribute is only applicable to symbolic links. -**[10]:** Zone Identifier (ZoneID) is a numerical identifier that shows where (what "Zone") a file came from, helping to decide if it's safe to open. The commonly used predefined Zones in Windows and their IDs are as follows: Zone 0: Local Machine Zone Zone 1: Local Intranet Zone Zone 2: Trusted Sites Zone Zone 3: Intranet Zone Zone 4: Restricted Site Zone +**[10]:** Zone Identifier (ZoneID) is a numerical identifier that shows where (what "Zone") a file came from, helping to decide if it's safe to open. The commonly used predefined Zones in Windows and their IDs are as follows: Zone 0: Local Machine Zone Zone 1: Local Intranet Zone Zone 2: Trusted Sites Zone Zone 3: Internet Zone Zone 4: Restricted Site Zone diff --git a/model/file/registry.yaml b/model/file/registry.yaml index 1168214875..3efdc92cc6 100644 --- a/model/file/registry.yaml +++ b/model/file/registry.yaml @@ -172,7 +172,7 @@ groups: Zone 0: Local Machine Zone Zone 1: Local Intranet Zone Zone 2: Trusted Sites Zone - Zone 3: Intranet Zone + Zone 3: Internet Zone Zone 4: Restricted Site Zone stability: experimental examples: 3 From 92ceab6c8942da6d14b651be5d3729d69f8c6427 Mon Sep 17 00:00:00 2001 From: Asuka Nakajima Date: Fri, 29 Nov 2024 09:10:11 +0000 Subject: [PATCH 09/12] add file.open event --- model/file/events.yaml | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 model/file/events.yaml diff --git a/model/file/events.yaml b/model/file/events.yaml new file mode 100644 index 0000000000..2a89d8633b --- /dev/null +++ b/model/file/events.yaml @@ -0,0 +1,32 @@ +groups: + - id: event.file.open + stability: experimental + type: event + name: file.open + brief: > + A file is defined as a set of information that has been created on, + or has existed on a filesystem. + A file open event represents the action of a process accessing a file + on the filesystem. It includes details such as the file's name, + path, directory, size, extension, and metadata, including + file access time, file origin information and more. It addition, + it also includes information about the process that accessed the file. + attributes: + - ref: file.name + - ref: file.path + - ref: file.directory + - ref: file.size + - ref: file.extension + - ref: file.accessed + - ref: file.created + - ref: file.owner.name + - ref: file.owner.id + - ref: file.origin_referrer_url + - ref: file.origin_url + - ref: file.zone_identifier + - ref: process.pid + brief: Process id of the process that accessed the file. + - ref: process.user.name + brief: Process name of the process that accessed the file. + - ref: process.executable.name + brief: Executable file name of the process that accessed the file. From 8eb5600ef41b7faf285a55ab806197ddfa527732 Mon Sep 17 00:00:00 2001 From: Asuka Nakajima Date: Fri, 29 Nov 2024 09:19:14 +0000 Subject: [PATCH 10/12] adjust the changelog --- .chloggen/file_originevents.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.chloggen/file_originevents.yaml b/.chloggen/file_originevents.yaml index 2bd096ef4d..ba2b8b8678 100644 --- a/.chloggen/file_originevents.yaml +++ b/.chloggen/file_originevents.yaml @@ -10,7 +10,8 @@ change_type: enhancement component: file # A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`). -note: add file.origin_referrer_url, file.origin_url, and file.zone_identifier +note: This adds file.origin_referrer_url, file.origin_url, and file.zone_identifier attributes. + In addition, it also adds file.open event under event.yaml # Mandatory: One or more tracking issues related to the change. You can use the PR number here if no issue exists. # The values here must be integers. From bb17dcdf67d00de5d62648f7c081791b67e44a7c Mon Sep 17 00:00:00 2001 From: Asuka Nakajima Date: Thu, 5 Dec 2024 05:03:02 +0000 Subject: [PATCH 11/12] removed zone_identifier --- .chloggen/file_originevents.yaml | 2 +- docs/attributes-registry/file.md | 3 --- model/file/events.yaml | 1 - model/file/registry.yaml | 15 --------------- 4 files changed, 1 insertion(+), 20 deletions(-) diff --git a/.chloggen/file_originevents.yaml b/.chloggen/file_originevents.yaml index ba2b8b8678..5a8fd983c5 100644 --- a/.chloggen/file_originevents.yaml +++ b/.chloggen/file_originevents.yaml @@ -10,7 +10,7 @@ change_type: enhancement component: file # A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`). -note: This adds file.origin_referrer_url, file.origin_url, and file.zone_identifier attributes. +note: This file.origin_referrer_url, file.origin_url attributes. In addition, it also adds file.open event under event.yaml # Mandatory: One or more tracking issues related to the change. You can use the PR number here if no issue exists. diff --git a/docs/attributes-registry/file.md b/docs/attributes-registry/file.md index e06216a41f..353cbf4a32 100644 --- a/docs/attributes-registry/file.md +++ b/docs/attributes-registry/file.md @@ -32,7 +32,6 @@ Describes file attributes. | `file.path` | string | Full path to the file, including the file name. It should include the drive letter, when appropriate. | `/home/alice/example.png`; `C:\Program Files\MyApp\myapp.exe` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | | `file.size` | int | File size in bytes. | | ![Experimental](https://img.shields.io/badge/-experimental-blue) | | `file.symbolic_link.target_path` | string | Path to the target of a symbolic link. [9] | `/usr/bin/python3` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `file.zone_identifier` | int | Windows Zone Identifier for the file. [10] | `3` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | **[1] `file.accessed`:** This attribute might not be supported by some file systems — NFS, FAT32, in embedded OS, etc. @@ -52,5 +51,3 @@ On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default da **[8] `file.origin_url`:** This information comes from metadata or alternate data streams linked to the file. `file.origin_url` represents the URL from which the file was downloaded, and `file.origin_referrer_url` indicates the URL of the page where that URL was listed. There may be cases where both `file.origin_url` and `file.origin_referrer_url` exist, or only one of them is present. Note that the URL itself may contain sensitive information. **[9] `file.symbolic_link.target_path`:** This attribute is only applicable to symbolic links. - -**[10] `file.zone_identifier`:** Zone Identifier (ZoneID) is a numerical identifier that shows where (what "Zone") a file came from, helping to decide if it's safe to open. The commonly used predefined Zones in Windows and their IDs are as follows: Zone 0: Local Machine Zone Zone 1: Local Intranet Zone Zone 2: Trusted Sites Zone Zone 3: Internet Zone Zone 4: Restricted Site Zone diff --git a/model/file/events.yaml b/model/file/events.yaml index 2a89d8633b..ba8b93aa75 100644 --- a/model/file/events.yaml +++ b/model/file/events.yaml @@ -23,7 +23,6 @@ groups: - ref: file.owner.id - ref: file.origin_referrer_url - ref: file.origin_url - - ref: file.zone_identifier - ref: process.pid brief: Process id of the process that accessed the file. - ref: process.user.name diff --git a/model/file/registry.yaml b/model/file/registry.yaml index 3efdc92cc6..b9054790a0 100644 --- a/model/file/registry.yaml +++ b/model/file/registry.yaml @@ -161,18 +161,3 @@ groups: This attribute is only applicable to symbolic links. stability: experimental examples: ['/usr/bin/python3'] - - id: file.zone_identifier - type: int - brief: > - Windows Zone Identifier for the file. - note: > - Zone Identifier (ZoneID) is a numerical identifier that shows where - (what "Zone") a file came from, helping to decide if it's safe to open. - The commonly used predefined Zones in Windows and their IDs are as follows: - Zone 0: Local Machine Zone - Zone 1: Local Intranet Zone - Zone 2: Trusted Sites Zone - Zone 3: Internet Zone - Zone 4: Restricted Site Zone - stability: experimental - examples: 3 From e3fbf829b5653a6388aae1985de5fb84431b6196 Mon Sep 17 00:00:00 2001 From: Asuka Nakajima Date: Thu, 5 Dec 2024 14:37:51 +0900 Subject: [PATCH 12/12] Update file_originevents.yaml --- .chloggen/file_originevents.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.chloggen/file_originevents.yaml b/.chloggen/file_originevents.yaml index 5a8fd983c5..cdb4897f01 100644 --- a/.chloggen/file_originevents.yaml +++ b/.chloggen/file_originevents.yaml @@ -10,7 +10,7 @@ change_type: enhancement component: file # A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`). -note: This file.origin_referrer_url, file.origin_url attributes. +note: This adds file.origin_referrer_url and file.origin_url attributes. In addition, it also adds file.open event under event.yaml # Mandatory: One or more tracking issues related to the change. You can use the PR number here if no issue exists.