Device

A list of agent objects associated with a device, endpoint, or resource.

The unique identifier of the cloud autoscale configuration.

The time the system was booted.

A unique identifier of the device that changes after every reboot. For example, the value of /proc/sys/kernel/random/boot_id from Linux's procfs.

Entity:CONTAINER
Group:context
The information describing an instance of a container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd.

The time when the device was known to have been created.

The description of the device, ordinarily as reported by the operating system.

The network domain where the device resides. For example: work.example.com.

An Embedded Identity Document, is a unique serial number that identifies an eSIM-enabled device.

The initial discovery time of the device.

The group names to which the device belongs. For example: ["Windows Laptops", "Engineering"].

Entity:HOSTNAME
The device hostname.

The endpoint hardware information.

The name of the hypervisor running on the device. For example, Xen, VMware, Hyper-V, VirtualBox, etc.

The Integrated Circuit Card Identification of a mobile device. Typically it is a unique 18 to 22 digit number that identifies a SIM card.

The image used as a template to run the virtual machine.

The International Mobile Equipment Identity that is associated with the device.

🚧 WARNING: DEPRECATED

IMEI has been deprecated since 1.4.0. Use the imei_list attribute instead.

The International Mobile Equipment Identity values that are associated with the device.

The unique identifier of a VM instance.

The name of the network interface (e.g. eth2).

The unique identifier of the network interface.

Entity:IP_ADDRESS
The device IP address, in either IPv4 or IPv6 format.

Indicates whether the device or resource has a backup enabled, such as an automated snapshot or a cloud backup. For example, this is indicated by the cloudBackupEnabled value within JAMF Pro mobile devices or the registration of an AWS ARN with the AWS Backup service.

The event occurred on a compliant device.

The event occurred on a managed device.

Indicates whether the device has an active mobile account. For example, this is indicated by the itunesStoreAccountActive value within JAMF Pro mobile devices.

The event occurred on a personal device.

The event occurred on a shared device.

The event occurred on a supervised device. Devices that are supervised are typically mobile devices managed by a Mobile Device Management solution and are restricted from specific behaviors such as Apple AirDrop.

The event occurred on a trusted device.

The most recent discovery time of the device.

Entity:GEO_LOCATION
The geographical location of the device.

Entity:MAC_ADDRESS
The Media Access Control (MAC) address of the endpoint.

The Mobile Equipment Identifier. It's a unique number that identifies a Code Division Multiple Access (CDMA) mobile device.

The model of the device. For example ThinkPad X1 Carbon.

The time when the device was last known to have been modified.

The alternate device name, ordinarily as assigned by an administrator. Note: The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234.

Group:context
If running under a process namespace (such as in a container), the process identifier within that process namespace.

The physical or virtual network interfaces that are associated with the device, one for each unique MAC address/IP address/hostname/name combination.Note: The first element of the array is the network information that pertains to the event.

Organization and org unit related to the device.

The endpoint operating system.

The operating system assigned Machine ID. In Windows, this is the value stored at the registry path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid. In Linux, this is stored in the file: /etc/machine-id.

Entity:USER
The identity of the service or user account that owns the endpoint or was last logged into it.

Group:context
The event data as received from the event source.

Group:primary
Unique identifier for the object

The region where the virtual machine is located. For example, an AWS Region.

The risk level, normalized to the caption of the risk_level_id value.

The normalized risk level id.

• 0: Info (INFO)
• 1: Low (LOW)
• 2: Medium (MEDIUM)
• 3: High (HIGH)
• 4: Critical (CRITICAL)
• 99: Other (OTHER)

The risk score as reported by the event source.

Entity:SUBNET
The subnet mask.

The unique identifier of a virtual subnet.

The device type. For example: unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other.

The device type ID.

• 1: Server (SERVER)
• 2: Desktop (DESKTOP)
• 3: Laptop (LAPTOP)
• 4: Tablet (TABLET)
• 5: Mobile (MOBILE)
• 6: Virtual (VIRTUAL)
• 7: IOT (IOT)
• 8: Browser (BROWSER)
• 9: Firewall (FIREWALL)
• 10: Switch (SWITCH)
• 11: Hub (HUB)
• 12: Router (ROUTER)
• 13: IDS (IDS)
• 14: IPS (IPS)
• 15: Load Balancer (LOAD_BALANCER)
• 0: Unknown (UNKNOWN)
• 99: Other (OTHER)

The Apple assigned Unique Device Identifier (UDID). For iOS, iPadOS, tvOS, watchOS and visionOS devices, this is the UDID. For macOS devices, it is the Provisioning UDID. For example: 00008020-008D4548007B4F26

Entity:DEVICE_OBJECT_UID
The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN.

An alternate unique identifier of the device if any. For example the ActiveDirectory DN.

Data from the source that was not mapped into the schema.

The vendor for the device. For example Dell or Lenovo.

The Virtual LAN identifier.

The unique identifier of the Virtual Private Cloud (VPC).

The network zone or LAN segment.