Agent

agent

An Agent (also known as a Sensor) is typically installed on an Operating System (OS) and serves as a specialized software component that can be designed to monitor, detect, collect, archive, or take action. These activities and possible actions are defined by the upstream system controlling the Agent and its intended purpose. For instance, an Agent can include Endpoint Detection & Response (EDR) agents, backup/disaster recovery sensors, Application Performance Monitoring or profiling sensors, and similar software.

Attributes

CaptionNameTypeDescription
Agent NamenameStringThe name of the agent or sensor. For example: AWS SSM Agent.
Agent PoliciespoliciesPolicy[]Describes the various policies that may be applied or enforced by an agent or sensor. E.g., Conditional Access, prevention, auto-update, tamper protection, destination configuration, etc.
Raw Dataraw_dataJSONGroup:context

The event data as received from the event source.
Record IDrecord_idStringGroup:primary

Unique identifier for the object
Agent TypetypeStringThe normalized caption of the type_id value for the agent or sensor. In the case of 'Other' or 'Unknown', it is defined by the event source.
Type IDtype_idIntegerThe normalized representation of an agent or sensor. E.g., EDR, vulnerability management, APM, backup & recovery, etc.
  • 1: Endpoint Detection and Response (ENDPOINT_DETECTION_AND_RESPONSE)
  • 2: Data Loss Prevention (DATA_LOSS_PREVENTION)
  • 3: Backup & Recovery (BACKUP_AND_RECOVERY)
  • 4: Performance Monitoring & Observability (PERFORMANCE_MONITORING_AND_OBSERVABILITY)
  • 5: Vulnerability Management (VULNERABILITY_MANAGEMENT)
  • 6: Log Forwarding (LOG_FORWARDING)
  • 7: Mobile Device Management (MOBILE_DEVICE_MANAGEMENT)
  • 8: Configuration Management (CONFIGURATION_MANAGEMENT)
  • 9: Remote Access (REMOTE_ACCESS)
  • 0: Unknown (UNKNOWN)
  • 99: Other (OTHER)
Agent IDuidStringThe UID of the agent or sensor, sometimes known as a Sensor ID or aid.
Alternate Agent IDuid_altStringAn alternative or contextual identifier for the agent or sensor, such as a configuration, organization, or license UID.
UnmappedunmappedUnmapped[]Data from the source that was not mapped into the schema.
Vendor Namevendor_nameStringThe company or author who created the agent or sensor. For example: Crowdstrike.
Agent VersionversionStringThe semantic version of the agent or sensor, e.g., 7.101.50.0.

Relationships

Agent shown in context

Inbound Relationships

These objects and events reference Agent in their attributes:

Outbound Relationships

Agent references the following objects and events in its attributes:

This page describes qdm-1.5.1+ocsf-1.6.0


Did this page help you?