file descriptor field

[janniten]

Hi,
I have been working with Windows and Netapp events 4556,4663 and 4658 and I found the need to map the file HandleID.
The HandleID permits us to corretate events about Object Manipulation (4556,4663 and 4658 for example).

Does it makes sense to add a field file.descriptor ?

A file descriptor is a number that uniquely identifies an open file in a computer's operating system. Is an abstract indicator (handle) used to access a file
In windows terminology is the HandleID I'm working with for example:
In Linux for example: /proc/8042/wchan

If it makes sense I can create a PR
Regards!

[webmat]

@rw-access or @jonathan-buttner Does endpoint have a field like this?

This sounds like something that would be useful and straightforward for both Windows and Linux.

[rw-access]

Just checked. Endpoint has a fileid field for linux and macos. That's the closest thing, but I think that would map to file.inode? @nicholasberlin knows that better.

I think a Windows handle is analogous enough to a file descriptor, so that name makes sense to me.

Would this be a long or keyword data type? If the latter, we should make sure we have a convention for how to convert integers (i.e. hex vs decimal notation).

[nicholasberlin]

fileid is inode for macOS, it's not filled in for Linux.