Agent

agent

An Agent (also known as a Sensor) is typically installed on an Operating System (OS) and serves as a specialized software component that can be designed to monitor, detect, collect, archive, or take action. These activities and possible actions are defined by the upstream system controlling the Agent and its intended purpose. For instance, an Agent can include Endpoint Detection & Response (EDR) agents, backup/disaster recovery sensors, Application Performance Monitoring or profiling sensors, and similar software.

Attributes

Caption	Name	Type	Description
Agent Name	`name`	String	The name of the agent or sensor. For example: `AWS SSM Agent`.
Agent Policies	`policies`	Policy[]	Describes the various policies that may be applied or enforced by an agent or sensor. E.g., Conditional Access, prevention, auto-update, tamper protection, destination configuration, etc.
Raw Data	`raw_data`	JSON	Group:`context` The event data as received from the event source.
Record ID	`record_id`	String	Group:`primary` Unique identifier for the object
Agent Type	`type`	String	The normalized caption of the type_id value for the agent or sensor. In the case of 'Other' or 'Unknown', it is defined by the event source.
Type ID	`type_id`	Integer	The normalized representation of an agent or sensor. E.g., EDR, vulnerability management, APM, backup & recovery, etc. `0`: Unknown (`UNKNOWN`) `1`: Endpoint Detection and Response (`ENDPOINT_DETECTION_AND_RESPONSE`) `2`: Data Loss Prevention (`DATA_LOSS_PREVENTION`) `3`: Backup & Recovery (`BACKUP_&_RECOVERY`) `4`: Performance Monitoring & Observability (`PERFORMANCE_MONITORING_&_OBSERVABILITY`) `5`: Vulnerability Management (`VULNERABILITY_MANAGEMENT`) `6`: Log Forwarding (`LOG_FORWARDING`) `7`: Mobile Device Management (`MOBILE_DEVICE_MANAGEMENT`) `8`: Configuration Management (`CONFIGURATION_MANAGEMENT`) `9`: Remote Access (`REMOTE_ACCESS`) `99`: Other (`OTHER`)
Agent ID	`uid`	String	The UID of the agent or sensor, sometimes known as a Sensor ID or `aid`.
Alternate Agent ID	`uid_alt`	String	An alternative or contextual identifier for the agent or sensor, such as a configuration, organization, or license UID.
Unmapped	`unmapped`	Unmapped[]	Data from the source that was not mapped into the schema.
Vendor Name	`vendor_name`	String	The company or author who created the agent or sensor. For example: `Crowdstrike`.
Agent Version	`version`	String	The semantic version of the agent or sensor, e.g., `7.101.50.0`.

Relationships

Inbound Relationships

These objects and events reference Agent in their attributes:

Outbound Relationships

Agent references the following objects and events in its attributes:

This page describes ocsf-1.4.0