The following events relate to a specific file:
When the event relates to a specific file (e.g., “Execution blocked”, “New unapproved file”), the File Hash, File Name, and File Path fields will be completed with the file-specific information that is available. Not all file events will have these fields completed. For example, an “Execution blocked (still analyzing)” event, will not have a file hash. Policy Management events, like creating approvals and bans, also contain File Hash or File Name data when available and applicable.
When the File Hash is available, it is a SHA-256 hash. The File Path does not end with a trailing slash.
File State provides the state of the file associated with the event (Approved/Unapproved/Banned) and File State Reason provides additional details behind the state of the file associated with the event. File Prevalence lists the number of computers on which the file associated with an event appears.
If Carbon Black File Reputation data is enabled when the file event is generated, File Trust and File Threat information is included in the event if it is available.