This view provides a historical summary of changed files with some aggregation. A file is ‘changed’ when it is added or modified.
Lacework continuously monitors for changed files in your environment and returns a row in the CHANGE_FILES_V view when Lacework detects a new key. For this view, a key is generated from the MID (machine id), FILE_PATH, FILEDATA_HASH, START_TIME, and END_TIME. Note that the changed file rows are aggregated hourly. For example, if the same key is detected twice between 1:00 AM (START_TIME) and 1:59 AM (END_TIME), only one row is returned for this hour. For the next hour, the START_TIME (2:00 AM) and END_TIME (2:59 AM) are different so if the same changed file is detected again, a new row is returned because the key is different.
Each row contains changed file information as listed in the columns.
|Column Name||Data Type||Description|
|START_TIME||Timestamp||The time and date when the hourly aggregation time period starts.|
|END_TIME||Timestamp||The time and date when the hourly aggregation time period ends.|
|MID||Number||The Lacework-generated machine identifier where the file was found.|
|FILE_PATH||Text||The full directory path to a file.|
|FILEDATA_HASH||Text||The hash value generated by hashing the data in a file.|
|MTIME||Timestamp||The time and date when the file was modified.|
|SIZE||Number||The size of the file.|
|THREAT_INFO||JSON Object||The threat information about a malicious file.|