Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add 'internal_name' attribute to 'file' object. #1322

Merged
merged 4 commits into from
Jan 22, 2025
Merged

Add 'internal_name' attribute to 'file' object. #1322

merged 4 commits into from
Jan 22, 2025

Conversation

davemcatcisco
Copy link
Contributor

@davemcatcisco davemcatcisco commented Jan 21, 2025
edited
Loading

Description of changes:

This PR adds an internal_name to the dictionary and to the file object. This attribute is intended to capture the name of the file as identified within the file itself. This contrasts with the name by which the file is known on disk.

Where available, the internal name is widely used by security practitioners and detection content because the on-disk file name is not reliable.

On the Windows OS, most PE files contain a VERSIONINFO resource from which the internal name can be obtained.

On macOS, binaries can optionally embed a copy of the application's Info.plist file which in turn contains the name of the executable (#NotAMacGuy).

@davemcatcisco davemcatcisco added non_breaking Non Breaking, backwards compatible changes v1.4.0 Changes marked for the upcoming version 1.4.0 labels Jan 22, 2025
mikeradka
mikeradka reviewed Jan 22, 2025
View reviewed changes
objects/file.json Outdated Show resolved Hide resolved
jonrau-at-queryai
jonrau-at-queryai previously approved these changes Jan 22, 2025
View reviewed changes
Copy link
Contributor

@jonrau-at-queryai jonrau-at-queryai left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good addition. This differentiation is captured in several managed Sentinel tables from Defender XDR process, network, and file events.

@mikeradka mikeradka self-requested a review January 22, 2025 17:38
Aniak5
Aniak5 approved these changes Jan 22, 2025
View reviewed changes
Copy link
Contributor

@Aniak5 Aniak5 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@floydtree floydtree merged commit 4d883c9 into ocsf:main Jan 22, 2025
3 checks passed
@davemcatcisco
Copy link
Contributor Author

Thanks, all.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mikeradka mikeradka mikeradka approved these changes

@floydtree floydtree floydtree approved these changes

@Aniak5 Aniak5 Aniak5 approved these changes

@jonrau-at-queryai jonrau-at-queryai jonrau-at-queryai left review comments

@pagbabian-splunk pagbabian-splunk Awaiting requested review from pagbabian-splunk pagbabian-splunk is a code owner

@zschmerber zschmerber Awaiting requested review from zschmerber zschmerber is a code owner

Assignees
No one assigned
Labels
non_breaking Non Breaking, backwards compatible changes v1.4.0 Changes marked for the upcoming version 1.4.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@davemcatcisco @Aniak5 @floydtree @mikeradka @jonrau-at-queryai