Device

device

The Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network.

Attributes

Caption	Name	Type	Description
Agent List	`agent_list`	Agent[]	A list of `agent` objects associated with a device, endpoint, or resource.
Autoscale UID	`autoscale_uid`	String	The unique identifier of the cloud autoscale configuration.
Boot Time	`boot_time`	Timestamp	The time the system was booted.
Container	`container`	Container[]	Entity:`CONTAINER` Group:`context` The information describing an instance of a container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd.
Created Time	`created_time`	Timestamp	The time when the device was known to have been created.
Description	`desc`	String	The description of the device, ordinarily as reported by the operating system.
Domain	`domain`	String	The network domain where the device resides. For example: `work.example.com`.
EID	`eid`	String	An Embedded Identity Document, is a unique serial number that identifies an eSIM-enabled device.
First Seen	`first_seen_time`	Timestamp	The initial discovery time of the device.
Groups	`groups`	Group[]	The group names to which the device belongs. For example: `["Windows Laptops", "Engineering"]`.
Hostname	`hostname`	Hostname	Entity:`HOSTNAME` The device hostname.
Hardware Info	`hw_info`	Device Hardware Info[]	The endpoint hardware information.
Hypervisor	`hypervisor`	String	The name of the hypervisor running on the device. For example, `Xen`, `VMware`, `Hyper-V`, `VirtualBox`, etc.
ICCID	`iccid`	String	The Integrated Circuit Card Identification of a mobile device. Typically it is a unique 18 to 22 digit number that identifies a SIM card.
Image	`image`	Image[]	The image used as a template to run the virtual machine.
IMEI	`imei`	String	The International Mobile Equipment Identity that is associated with the device. 🚧 WARNING: DEPRECATED IMEI has been deprecated since 1.4.0. Use the `imei_list` attribute instead.
IMEI List	`imei_list`	String[]	The International Mobile Equipment Identity values that are associated with the device.
Instance ID	`instance_uid`	String	The unique identifier of a VM instance.
Network Interface Name	`interface_name`	String	The name of the network interface (e.g. eth2).
Network Interface ID	`interface_uid`	String	The unique identifier of the network interface.
IP Address	`ip`	IP Address	Entity:`IP_ADDRESS` The device IP address, in either IPv4 or IPv6 format.
Back Ups Configured	`is_backed_up`	Boolean	Indicates whether the device or resource has a backup enabled, such as an automated snapshot or a cloud backup. For example, this is indicated by the `cloudBackupEnabled` value within JAMF Pro mobile devices or the registration of an AWS ARN with the AWS Backup service.
Compliant Device	`is_compliant`	Boolean	The event occurred on a compliant device.
Managed Device	`is_managed`	Boolean	The event occurred on a managed device.
Mobile Account Active	`is_mobile_account_active`	Boolean	Indicates whether the device has an active mobile account. For example, this is indicated by the `itunesStoreAccountActive` value within JAMF Pro mobile devices.
Personal Device	`is_personal`	Boolean	The event occurred on a personal device.
Shared Device	`is_shared`	Boolean	The event occurred on a shared device.
Supervised Device	`is_supervised`	Boolean	The event occurred on a supervised device. Devices that are supervised are typically mobile devices managed by a Mobile Device Management solution and are restricted from specific behaviors such as Apple AirDrop.
Trusted Device	`is_trusted`	Boolean	The event occurred on a trusted device.
Last Seen	`last_seen_time`	Timestamp	The most recent discovery time of the device.
Geo Location	`location`	Geo Location[]	Entity:`GEO_LOCATION` The geographical location of the device.
MAC Address	`mac`	MAC Address	Entity:`MAC_ADDRESS` The Media Access Control (MAC) address of the endpoint.
MEID	`meid`	String	The Mobile Equipment Identifier. It's a unique number that identifies a Code Division Multiple Access (CDMA) mobile device.
Model	`model`	String	The model of the device. For example `ThinkPad X1 Carbon`.
Modified Time	`modified_time`	Timestamp	The time when the device was last known to have been modified.
Name	`name`	String	The alternate device name, ordinarily as assigned by an administrator. Note: The Name could be any other string that helps to identify the device, such as a phone number; for example `310-555-1234`.
Namespace PID	`namespace_pid`	Integer	Group:`context` If running under a process namespace (such as in a container), the process identifier within that process namespace.
Network Interfaces	`network_interfaces`	Network Interface[]	The network interfaces that are associated with the device, one for each unique MAC address/IP address/hostname/name combination. Note: The first element of the array is the network information that pertains to the event.
Organization	`org`	Organization[]	Organization and org unit related to the device.
OS	`os`	Operating System (OS)[]	The endpoint operating system.
OS Machine UUID	`os_machine_uuid`	UUID	The operating system assigned Machine ID. In Windows, this is the value stored at the registry path: `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid`. In Linux, this is stored in the file: `/etc/machine-id`.
Owner	`owner`	User[]	Entity:`USER` The identity of the service or user account that owns the endpoint or was last logged into it.
Raw Data	`raw_data`	JSON	Group:`context` The event data as received from the event source.
Record ID	`record_id`	String	Group:`primary` Unique identifier for the object
Region	`region`	String	The region where the virtual machine is located. For example, an AWS Region.
Risk Level	`risk_level`	String	The risk level, normalized to the caption of the risk_level_id value.
Risk Level ID	`risk_level_id`	Integer	The normalized risk level id. `0`: Info (`INFO`) `1`: Low (`LOW`) `2`: Medium (`MEDIUM`) `3`: High (`HIGH`) `4`: Critical (`CRITICAL`) `99`: Other (`OTHER`)
Risk Score	`risk_score`	Integer	The risk score as reported by the event source.
Subnet	`subnet`	Subnet	Entity:`SUBNET` The subnet mask.
Subnet UID	`subnet_uid`	String	The unique identifier of a virtual subnet.
Type	`type`	String	The device type. For example: `unknown`, `server`, `desktop`, `laptop`, `tablet`, `mobile`, `virtual`, `browser`, or `other`.
Type ID	`type_id`	Integer	The device type ID. `0`: Unknown (`UNKNOWN`) `1`: Server (`SERVER`) `10`: Switch (`SWITCH`) `11`: Hub (`HUB`) `12`: Router (`ROUTER`) `13`: IDS (`IDS`) `14`: IPS (`IPS`) `15`: Load Balancer (`LOAD_BALANCER`) `2`: Desktop (`DESKTOP`) `3`: Laptop (`LAPTOP`) `4`: Tablet (`TABLET`) `5`: Mobile (`MOBILE`) `6`: Virtual (`VIRTUAL`) `7`: IOT (`IOT`) `8`: Browser (`BROWSER`) `9`: Firewall (`FIREWALL`) `99`: Other (`OTHER`)
Unique Device Identifier	`udid`	String	The Unique Device Identifier, used for iOS and macOS devices.
Unique ID	`uid`	String	The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN.
Alternate ID	`uid_alt`	String	An alternate unique identifier of the device if any. For example the ActiveDirectory DN.
Unmapped	`unmapped`	Unmapped[]	Data from the source that was not mapped into the schema.
Vendor Name	`vendor_name`	String	The vendor for the device. For example `Dell` or `Lenovo`.
VLAN	`vlan_uid`	String	The Virtual LAN identifier.
VPC UID	`vpc_uid`	String	The unique identifier of the Virtual Private Cloud (VPC).
Network Zone	`zone`	String	The network zone or LAN segment.

Relationships

Inbound Relationships

These objects and events reference Device in their attributes:

Outbound Relationships

Device references the following objects and events in its attributes:

This page describes ocsf-1.4.0