The FileActionNameVocab is the default MAEC vocabulary for file action names, captured via the ActionType/Name element in CybOX Core. For file action names, it should be used in place of the CybOX ActionNameVocab-1.0. Starting with MAEC 4.1, it should be used in place of the deprecated FileActionNameVocab-1.0.
Item | Description |
---|---|
create file | The 'create file' value specifies the defined action of creating a new file. |
delete file | The 'delete file' value specifies the defined action of deleting an existing file. |
copy file | The 'copy file' value specifies the defined action of copying an existing file from one location to another. |
create file symbolic link | The 'create file symbolic link' value specifies the defined action of creating a symbolic link to an existing file. |
find file | The 'find file' value specifies the defined action of searching for an existing file. |
get file attributes | The 'get file attributes' value specifies the defined action of getting the attributes of an existing file. |
set file attributes | The 'set file attributes' value specifies the defined action of setting the file attributes for an existing file. |
lock file | The 'lock file' value specifies the defined action of locking an existing file. |
unlock file | The 'unlock file' value specifies the defined action of unlocking an existing file. |
modify file | The 'modify file' value specifies the defined action of modifying an existing file in some manner. |
move file | The 'move file' value specifies the defined action of moving an existing file from one location to another. |
open file | The 'open file' value specifies the defined action of opening an existing file for reading or writing. |
read from file | The 'read from file' value specifies the defined action of reading from an existing file. |
write to file | The 'write to file' value specifies the defined action of writing to an existing file. |
rename file | The 'rename file' value specifies the defined action of renaming an existing file. |
create file alternate data stream | The 'create file alternate data stream' value specifies the defined action of creating an alternate data stream in an existing file.Windows-specific. |
send control code to file | The 'send control code to file' value specifies the defined action of sending a control code to a file.Windows-specific. |
create file mapping | The 'create file mapping' value specifies the defined action of creating a new file mapping object.Windows-specific. |
open file mapping | The 'open file mapping' value specifies the defined action of opening an existing file mapping object.Windows-specific. |
execute file | The 'execute file' value specifies the defined action of executing an existing file. |
hide file | The 'hide file' value specifies the defined action of hiding an existing file. |
close file | The 'close file' value specifies the defined action of closing an existing file that previously opened for reading or writing. |
Field Name | Type | Description |
---|---|---|
@conditionoptional | ConditionTypeEnum |
This field is optional and defines the relevant condition to apply to the value. |
@is_case_sensitiveoptional | boolean |
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive. |
@apply_conditionoptional | ConditionApplicationEnum |
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body. |
@delimiteroptional | string |
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##". |
@bit_maskoptional | hexBinary |
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation. |
@pattern_typeoptional | PatternTypeEnum |
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'. |
@regex_syntaxoptional | string |
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'. Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification. Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case. |
@has_changedoptional | boolean |
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed. |
@trendoptional | boolean |
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field. |
@vocab_nameoptional | string |
The vocab_name field specifies the name of the controlled vocabulary. |
@vocab_referenceoptional | anyURI |
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file. |