6006 - File Hosting Activity¶
CIM Data Models: Data_Access
OCSF Version: 1.1.0¶
| CIM Field | Mapping |
|---|---|
| action | case(activity_id==0, "unknown", activity_id==1, "upload", activity_id==2, "download", activity_id==3, "update", activity_id==4, "delete", activity_id==5, "rename", activity_id==6, "copy", activity_id==7, "move", activity_id==8, "restore", activity_id==9, "preview", activity_id==10, "lock", activity_id==11, "unlock", activity_id==12, "share", activity_id==13, "unshare", activity_id==14, "open", activity_id==15, "sync", activity_id==16, "unsync", true(), "other") |
| app | coalesce('metadata.product.name' , 'metadata.product.vendor_name') |
coalesce('actor.user.email_addr', 'actor.process.user.email_addr') |
|
| object | file.name |
| object_id | file.uid |
| object_path | file.path |
| object_size | file.size |
| object_attrs | file.attributes |
| owner | coalesce('file.owner.name', 'file.owner.uid') |
| owner_id | file.owner.uid |
| owner_email | file.owner.email_addr |
| object_category | case('file.type_id'==0, "unknown", 'file.type_id'==1, "file", 'file.type_id'==2, "folder", 'file.type_id'==3, "character device", 'file.type_id'==4, "block device", 'file.type_id'==5, "local socket", 'file.type_id'==6, "named pipe", 'file.type_id'==7, "symbolic link", true(), "other") |
| src | coalesce('src_endpoint.name', 'src_endpoint.uid', 'src_endpoint.hostname', 'src_endpoint.ip') |
| user | coalesce('actor.user.name' , 'actor.user.uid') |
| user_email | coalesce('actor.user.email_addr', 'actor.process.user.email_addr') |
| user_type | coalesce('actor.user.type' , 'actor.user.type_id') |
| vendor_product | coalesce('metadata.product.name' , 'metadata.product.vendor_name') |
| signature | type_name |
| signature_id | type_uid |
OCSF Version: 1.2.0¶
| CIM Field | Mapping |
|---|---|
| action | case(activity_id==0, "unknown", activity_id==1, "upload", activity_id==2, "download", activity_id==3, "update", activity_id==4, "delete", activity_id==5, "rename", activity_id==6, "copy", activity_id==7, "move", activity_id==8, "restore", activity_id==9, "preview", activity_id==10, "lock", activity_id==11, "unlock", activity_id==12, "share", activity_id==13, "unshare", activity_id==14, "open", activity_id==15, "sync", activity_id==16, "unsync", true(), "other") |
| app | coalesce('metadata.product.name' , 'metadata.product.vendor_name') |
coalesce('actor.user.email_addr', 'actor.process.user.email_addr') |
|
| object | file.name |
| object_id | file.uid |
| object_path | file.path |
| object_size | file.size |
| object_attrs | file.attributes |
| owner | coalesce('file.owner.name', 'file.owner.uid') |
| owner_id | file.owner.uid |
| owner_email | file.owner.email_addr |
| object_category | case('file.type_id'==0, "unknown", 'file.type_id'==1, "file", 'file.type_id'==2, "folder", 'file.type_id'==3, "character device", 'file.type_id'==4, "block device", 'file.type_id'==5, "local socket", 'file.type_id'==6, "named pipe", 'file.type_id'==7, "symbolic link", true(), "other") |
| src | coalesce('src_endpoint.name', 'src_endpoint.uid', 'src_endpoint.hostname', 'src_endpoint.ip') |
| user | coalesce('actor.user.name' , 'actor.user.uid') |
| user_email | coalesce('actor.user.email_addr', 'actor.process.user.email_addr') |
| user_type | coalesce('actor.user.type' , 'actor.user.type_id') |
| vendor_product | coalesce('metadata.product.name' , 'metadata.product.vendor_name') |
| signature | type_name |
| signature_id | type_uid |