Device

device

The Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network.

Attributes

CaptionNameTypeDescription
Agent Listagent_listAgent[]A list of agent objects associated with a device, endpoint, or resource.
Autoscale UIDautoscale_uidStringThe unique identifier of the cloud autoscale configuration.
Boot Timeboot_timeTimestampThe time the system was booted.
Boot UIDboot_uidStringA unique identifier of the device that changes after every reboot. For example, the value of /proc/sys/kernel/random/boot_id from Linux's procfs.
ContainercontainerContainer[]Entity:CONTAINER
Group:context

The information describing an instance of a container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd.
Created Timecreated_timeTimestampThe time when the device was known to have been created.
DescriptiondescStringThe description of the device, ordinarily as reported by the operating system.
DomaindomainStringThe network domain where the device resides. For example: work.example.com.
EIDeidStringAn Embedded Identity Document, is a unique serial number that identifies an eSIM-enabled device.
First Seenfirst_seen_timeTimestampThe initial discovery time of the device.
GroupsgroupsGroup[]The group names to which the device belongs. For example: ["Windows Laptops", "Engineering"].
HostnamehostnameHostnameEntity:HOSTNAME

The device hostname.
Hardware Infohw_infoDevice Hardware Info[]The endpoint hardware information.
HypervisorhypervisorStringThe name of the hypervisor running on the device. For example, Xen, VMware, Hyper-V, VirtualBox, etc.
ICCIDiccidStringThe Integrated Circuit Card Identification of a mobile device. Typically it is a unique 18 to 22 digit number that identifies a SIM card.
ImageimageImage[]The image used as a template to run the virtual machine.
IMEIimeiStringThe International Mobile Equipment Identity that is associated with the device.

🚧 WARNING: DEPRECATED

IMEI has been deprecated since 1.4.0. Use the imei_list attribute instead.

IMEI Listimei_listString[]The International Mobile Equipment Identity values that are associated with the device.
Instance IDinstance_uidStringThe unique identifier of a VM instance.
Network Interface Nameinterface_nameStringThe name of the network interface (e.g. eth2).
Network Interface IDinterface_uidStringThe unique identifier of the network interface.
IP AddressipIP AddressEntity:IP_ADDRESS

The device IP address, in either IPv4 or IPv6 format.
Back Ups Configuredis_backed_upBooleanIndicates whether the device or resource has a backup enabled, such as an automated snapshot or a cloud backup. For example, this is indicated by the cloudBackupEnabled value within JAMF Pro mobile devices or the registration of an AWS ARN with the AWS Backup service.
Compliant Deviceis_compliantBooleanThe event occurred on a compliant device.
Managed Deviceis_managedBooleanThe event occurred on a managed device.
Mobile Account Activeis_mobile_account_activeBooleanIndicates whether the device has an active mobile account. For example, this is indicated by the itunesStoreAccountActive value within JAMF Pro mobile devices.
Personal Deviceis_personalBooleanThe event occurred on a personal device.
Shared Deviceis_sharedBooleanThe event occurred on a shared device.
Supervised Deviceis_supervisedBooleanThe event occurred on a supervised device. Devices that are supervised are typically mobile devices managed by a Mobile Device Management solution and are restricted from specific behaviors such as Apple AirDrop.
Trusted Deviceis_trustedBooleanThe event occurred on a trusted device.
Last Seenlast_seen_timeTimestampThe most recent discovery time of the device.
Geo LocationlocationGeo Location[]Entity:GEO_LOCATION

The geographical location of the device.
MAC AddressmacMAC AddressEntity:MAC_ADDRESS

The Media Access Control (MAC) address of the endpoint.
MEIDmeidStringThe Mobile Equipment Identifier. It's a unique number that identifies a Code Division Multiple Access (CDMA) mobile device.
ModelmodelStringThe model of the device. For example ThinkPad X1 Carbon.
Modified Timemodified_timeTimestampThe time when the device was last known to have been modified.
NamenameStringThe alternate device name, ordinarily as assigned by an administrator. Note: The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234.
Namespace PIDnamespace_pidIntegerGroup:context

If running under a process namespace (such as in a container), the process identifier within that process namespace.
Network Interfacesnetwork_interfacesNetwork Interface[]The physical or virtual network interfaces that are associated with the device, one for each unique MAC address/IP address/hostname/name combination.Note: The first element of the array is the network information that pertains to the event.
OrganizationorgOrganization[]Organization and org unit related to the device.
OSosOperating System (OS)[]The endpoint operating system.
OS Machine UUIDos_machine_uuidUUIDThe operating system assigned Machine ID. In Windows, this is the value stored at the registry path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid. In Linux, this is stored in the file: /etc/machine-id.
OwnerownerUser[]Entity:USER

The identity of the service or user account that owns the endpoint or was last logged into it.
Raw Dataraw_dataJSONGroup:context

The event data as received from the event source.
Record IDrecord_idStringGroup:primary

Unique identifier for the object
RegionregionStringThe region where the virtual machine is located. For example, an AWS Region.
Risk Levelrisk_levelStringThe risk level, normalized to the caption of the risk_level_id value.
Risk Level IDrisk_level_idIntegerThe normalized risk level id.
  • 0: Info (INFO)
  • 1: Low (LOW)
  • 2: Medium (MEDIUM)
  • 3: High (HIGH)
  • 4: Critical (CRITICAL)
  • 99: Other (OTHER)
Risk Scorerisk_scoreIntegerThe risk score as reported by the event source.
SubnetsubnetSubnetEntity:SUBNET

The subnet mask.
Subnet UIDsubnet_uidStringThe unique identifier of a virtual subnet.
TypetypeStringThe device type. For example: unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other.
Type IDtype_idIntegerThe device type ID.
  • 1: Server (SERVER)
  • 2: Desktop (DESKTOP)
  • 3: Laptop (LAPTOP)
  • 4: Tablet (TABLET)
  • 5: Mobile (MOBILE)
  • 6: Virtual (VIRTUAL)
  • 7: IOT (IOT)
  • 8: Browser (BROWSER)
  • 9: Firewall (FIREWALL)
  • 10: Switch (SWITCH)
  • 11: Hub (HUB)
  • 12: Router (ROUTER)
  • 13: IDS (IDS)
  • 14: IPS (IPS)
  • 15: Load Balancer (LOAD_BALANCER)
  • 0: Unknown (UNKNOWN)
  • 99: Other (OTHER)
Unique Device IdentifierudidStringThe Apple assigned Unique Device Identifier (UDID). For iOS, iPadOS, tvOS, watchOS and visionOS devices, this is the UDID. For macOS devices, it is the Provisioning UDID. For example: 00008020-008D4548007B4F26
Unique IDuidStringEntity:DEVICE_OBJECT_UID

The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN.
Alternate IDuid_altStringAn alternate unique identifier of the device if any. For example the ActiveDirectory DN.
UnmappedunmappedUnmapped[]Data from the source that was not mapped into the schema.
Vendor Namevendor_nameStringThe vendor for the device. For example Dell or Lenovo.
VLANvlan_uidStringThe Virtual LAN identifier.
VPC UIDvpc_uidStringThe unique identifier of the Virtual Private Cloud (VPC).
Network ZonezoneStringThe network zone or LAN segment.

Relationships

Device shown in context

Inbound Relationships

These objects and events reference Device in their attributes:

Outbound Relationships

Device references the following objects and events in its attributes:

This page describes qdm-1.5.1+ocsf-1.6.0