Guides

Agent

Suggest Edits

An Agent (also known as a Sensor) is typically installed on an Operating System (OS) and serves as a specialized software component that can be designed to monitor, detect, collect, archive, or take action. These activities and possible actions are defined by the upstream system controlling the Agent and its intended purpose. For instance, an Agent can include Endpoint Detection & Response (EDR) agents, backup/disaster recovery sensors, Application Performance Monitoring or profiling sensors, and similar software.

Attributes

CaptionNameTypeDescription
Agent Name name String The name of the agent or sensor. For example: AWS SSM Agent.
Agent Policies policies Policy[] Describes the various policies that may be applied or enforced by an agent or sensor. E.g., Conditional Access, prevention, auto-update, tamper protection, destination configuration, etc.
Raw Data raw_data JSON The event data as received from the event source.
Record ID record_id String Unique identifier for the object
Agent Type type String The normalized caption of the type_id value for the agent or sensor. In the case of 'Other' or 'Unknown', it is defined by the event source.
Type ID type_id Integer The normalized representation of an agent or sensor. E.g., EDR, vulnerability management, APM, backup & recovery, etc.
  • 0: Unknown (UNKNOWN)
  • 1: Endpoint Detection and Response (ENDPOINT_DETECTION_AND_RESPONSE)
  • 2: Data Loss Prevention (DATA_LOSS_PREVENTION)
  • 3: Backup & Recovery (BACKUP_&_RECOVERY)
  • 4: Performance Monitoring & Observability (PERFORMANCE_MONITORING_&_OBSERVABILITY)
  • 5: Vulnerability Management (VULNERABILITY_MANAGEMENT)
  • 6: Log Forwarding (LOG_FORWARDING)
  • 7: Mobile Device Management (MOBILE_DEVICE_MANAGEMENT)
  • 8: Configuration Management (CONFIGURATION_MANAGEMENT)
  • 9: Remote Access (REMOTE_ACCESS)
  • 99: Other (OTHER)
Agent ID uid String The UID of the agent or sensor, sometimes known as a Sensor ID or aid.
Alternate Agent ID uid_alt String An alternative or contextual identifier for the agent or sensor, such as a configuration, organization, or license UID.
Unmapped Data unmapped Unmapped[] The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.
Vendor Name vendor_name String The company or author who created the agent or sensor. For example: Crowdstrike.
Agent Version version String The semantic version of the agent or sensor, e.g., 7.101.50.0.

Relationships

Agent shown in context

Inbound Relationships

These objects and events reference Agent in their attributes:

Outbound Relationships

Agent references the following objects and events in its attributes:

This page describes qdm-1.3.2+ocsf-1.3.0

Updated about 1 month ago