Add 'internal_name' attribute to 'file' object. (#1322)

#### Description of changes: This PR adds an `internal_name` to the dictionary and to the `file` object. This attribute is intended to capture the name of the file as identified within the file itself. This contrasts with the name by which the file is known on disk. Where available, the internal name is widely used by security practitioners and detection content because the on-disk file name is not reliable. On the Windows OS, most PE files contain a <code>VERSIONINFO</code> resource from which the internal name can be obtained. On macOS, binaries can optionally embed a copy of the application's Info.plist file which in turn contains the name of the executable (#NotAMacGuy). --------- Co-authored-by: Rajas <89877409+floydtree@users.noreply.github.com>
ocsf · Jan 22, 2025 · 4d883c9 · 4d883c9
1 parent d4bb784
commit 4d883c9
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -83,6 +83,7 @@ Thankyou! -->
     1. Added `event_uid` as a `string_t`. #1312
     1. Added `debug` attribute as a `string_t` array, used in the `metadata` object. #1308
     1. Added `ancestry` as a list of `process_entity`. #1317
+    1. Added `internal_name` as a `string_t`. #1322
 
 * #### Objects
     1. Added `environment_variable` object. #1172, #1288
@@ -182,6 +183,7 @@ Thankyou! -->
     1. Added optional `url` attribute to the `file` object. This was allows capturing a file's URL in the File Hosting Activity (6006) event class. #1289
     1. Changed the `process` object to extend the `process_entity` object. #1317
     1. Added `ancestry` to the `process` object. #1317
+    1. Added `internal_name` to the `file` object. #1322
 
 ### Bugfixes
 1. Added sibling definition to `confidence_id` in dictionary, accurately associating `confidence` as its sibling. #1180

diff --git a/dictionary.json b/dictionary.json
@@ -2660,6 +2660,11 @@
       "type": "ip_t",
       "is_array": true
     },
+    "internal_name": {
+      "caption": "Internal Name",
+      "description": "The name by which a resource identifies itself internally. See specific usage.",
+      "type": "string_t"
+    },
     "invoked_by": {
       "caption": "Invoked by",
       "description": "The name of the service that invoked the activity as described in the event.",

diff --git a/objects/file.json b/objects/file.json
@@ -60,6 +60,10 @@
     "hashes": {
       "requirement": "recommended"
     },
+    "internal_name": {
+      "description": "The name of the file as identified within the file itself. This contrasts with the name by which the file is known on disk. Where available, the internal name is widely used by security practitioners and detection content because the on-disk file name is not reliable. On the Windows OS, most PE files contain a <a href=\"https://learn.microsoft.com/en-us/windows/win32/menurc/versioninfo-resource\">VERSIONINFO</a> resource from which the internal name can be obtained. On macOS, binaries can optionally embed a copy of the application's Info.plist file which in turn contains the name of the executable.",
+      "requirement": "optional"
+    },
     "is_deleted": {
       "description": "Indicates if the file was deleted from the filesystem.",
       "requirement": "optional"