Device
The Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network. Defined by D3FEND d3f:Host.
Attributes
| Caption | Name | Type | Description |
|---|---|---|---|
| Agent List | agent_list |
Agent[] |
A list of agent objects associated with a device, endpoint, or resource.
|
| Autoscale UID | autoscale_uid |
String | The unique identifier of the cloud autoscale configuration. |
| Boot Time | boot_time |
Timestamp | The time the system was booted. |
| Container | container |
Container[] | The information describing an instance of a container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd. |
| Created Time | created_time |
Timestamp | The time when the device was known to have been created. |
| Description | desc |
String | The description of the device, ordinarily as reported by the operating system. |
| Domain | domain |
String |
The network domain where the device resides. For example: work.example.com.
|
| First Seen | first_seen_time |
Timestamp | The initial discovery time of the device. |
| Groups | groups |
Group[] |
The group names to which the device belongs. For example: ["Windows Laptops", "Engineering"] |
| Hostname | hostname |
Hostname | The device hostname. |
| Hardware Info | hw_info |
Device Hardware Info[] | The endpoint hardware information. |
| Hypervisor | hypervisor |
String |
The name of the hypervisor running on the device. For example, Xen, VMware, Hyper-V, VirtualBox, etc.
|
| Image | image |
Image[] | The image used as a template to run the virtual machine. |
| IMEI | imei |
String | The International Mobile Station Equipment Identifier that is associated with the device. |
| Instance ID | instance_uid |
String | The unique identifier of a VM instance. |
| Network Interface Name | interface_name |
String | The name of the network interface (e.g. eth2). |
| Network Interface ID | interface_uid |
String | The unique identifier of the network interface. |
| IP Address | ip |
IP Address | The device IP address, in either IPv4 or IPv6 format. |
| Compliant Device | is_compliant |
Boolean | The event occurred on a compliant device. |
| Managed Device | is_managed |
Boolean | The event occurred on a managed device. |
| Personal Device | is_personal |
Boolean | The event occurred on a personal device. |
| Trusted Device | is_trusted |
Boolean | The event occurred on a trusted device. |
| Last Seen | last_seen_time |
Timestamp | The most recent discovery time of the device. |
| Geo Location | location |
Geo Location[] | The geographical location of the device. |
| MAC Address | mac |
MAC Address | The Media Access Control (MAC) address of the endpoint. |
| Modified Time | modified_time |
Timestamp | The time when the device was last known to have been modified. |
| Name | name |
String |
The alternate device name, ordinarily as assigned by an administrator. Note: The Name could be any other string that helps to identify the device, such as a phone number; for example |
| Namespace PID | namespace_pid |
Integer | If running under a process namespace (such as in a container), the process identifier within that process namespace. |
| Network Interfaces | network_interfaces |
Network Interface[] |
The network interfaces that are associated with the device, one for each unique MAC address/IP address/hostname/name combination. Note: The first element of the array is the network information that pertains to the event. |
| Organization | org |
Organization[] | Organization and org unit related to the device. |
| Org Unit | org_unit |
String |
The name of the organization to which the user belongs.
|
| OS | os |
Operating System (OS)[] | The endpoint operating system. |
| Owner | owner |
User[] | The identity of the service or user account that owns the endpoint or was last logged into it. |
| Raw Data | raw_data |
JSON | The event data as received from the event source. |
| Record ID | record_id |
String | Unique identifier for the object |
| Region | region |
String | The region where the virtual machine is located. For example, an AWS Region. |
| Reputation Scores | reputation |
Reputation[] |
Contains the original and normalized reputation scores.
|
| Risk Level | risk_level |
String | The risk level, normalized to the caption of the risk_level_id value. |
| Risk Level ID | risk_level_id |
Integer |
The normalized risk level id.
|
| Risk Score | risk_score |
Integer | The risk score as reported by the event source. |
| Subnet | subnet |
Subnet | The subnet mask. |
| Subnet UID | subnet_uid |
String | The unique identifier of a virtual subnet. |
| Type | type |
String |
The device type. For example: unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other.
|
| Type ID | type_id |
Integer |
The device type ID.
|
| Unique ID | uid |
String | The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN. |
| Alternate ID | uid_alt |
String | An alternate unique identifier of the device if any. For example the ActiveDirectory DN. |
| Unmapped Data | unmapped |
Unmapped[] | The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source. |
| VLAN | vlan_uid |
String | The Virtual LAN identifier. |
| VPC UID | vpc_uid |
String | The unique identifier of the Virtual Private Cloud (VPC). |
| Network Zone | zone |
String | The network zone or LAN segment. |
Relationships
Inbound Relationships
These objects and events reference Device in their attributes:
- Process Remediation Activity
- SMB Activity
- Security Finding
- Module Query
- Device Config State
- Networks Query
- Finding
- Account Change
- Admin Group Query
- Application Lifecycle
- Discovery Result
- File Query
- File Hosting Activity
- Scheduled Job Activity
- Folder Query
- Memory Activity
- Data Security Finding
- Email URL Activity
- Software Inventory Info
- User
- Network Remediation Activity
- API Activity
- Network File Activity
- RDP Activity
- Compliance Finding
- Entity Management
- Application Activity
- Job Query
- Email Delivery Activity
- Windows Evidence Artifacts
- File Remediation Activity
- Email File Activity
- Device Inventory Info
- HTTP Activity
- Datastore Activity
- User Session Query
- User Access Management
- User Query
- FTP Activity
- Operating System Patch State
- Peripheral Device Query
- Authentication
- Network
- Authentication Factor
- Process Query
- Windows Service Activity
- Network Connection Query
- Web Resources Activity
- File System Activity
- Registry Key Query
- Registry Key Activity
- Registry Value Activity
- Authorize Session
- Scan Activity
- Remediation Activity
- Group Management
- SSH Activity
- Service Query
- System Activity
- Event Log Activity
- Tunnel Activity
- DNS Activity
- Managed Entity
- Kernel Activity
- Network Activity
- Module Activity
- Registry Value Query
- Logger
- Web Resource Access Activity
- Kernel Object Query
- Process Activity
- Email Activity
- NTP Activity
- Identity & Access Management
- DHCP Activity
- Device Config State Change
- Detection Finding
- Windows Resource Activity
- Prefetch Query
- Kernel Extension Activity
- Vulnerability Finding
Outbound Relationships
Device references the following objects and events in its attributes:
- Unmapped
- Geo Location
- Agent
- User
- Reputation
- Group
- Network Interface
- Container
- Device Hardware Info
- Organization
- Operating System (OS)
- Image
This page describes qdm-1.3.2+ocsf-1.3.0
Updated 2 months ago