Network Endpoint

network_endpoint

The network endpoint object describes source or destination of a network connection.

Attributes

Caption	Name	Type	Description
Agent List	`agent_list`	Agent[]	A list of agent objects associated with a device, endpoint, or resource.
Autonomous System	`autonomous_system`	Autonomous System[]	The Autonomous System details associated with an IP address.
Container	`container`	Container[]	Entity:`CONTAINER` Group:`context` The information describing an instance of a container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd.
Domain	`domain`	String	The name of the domain that the endpoint belongs to or that corresponds to the endpoint.
Hostname	`hostname`	Hostname	Entity:`HOSTNAME` The fully qualified name of the endpoint.
Hardware Info	`hw_info`	Device Hardware Info[]	The endpoint hardware information.
Instance ID	`instance_uid`	String	The unique identifier of a VM instance.
Network Interface Name	`interface_name`	String	The name of the network interface (e.g. eth2).
Network Interface ID	`interface_uid`	String	The unique identifier of the network interface.
Intermediate IP Addresses	`intermediate_ips`	IP Address[]	Entity:`IP_ADDRESS` The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header.
IP Address	`ip`	IP Address	Entity:`IP_ADDRESS` The IP address of the endpoint, in either IPv4 or IPv6 format.
IP Intelligence	`ip_intelligence`	IP Threat Intelligence[]	Insights from threat intelligence platforms about IP Address
ISP Name	`isp`	String	The name of the Internet Service Provider (ISP).
ISP Org	`isp_org`	String	The organization name of the Internet Service Provider (ISP). This represents the parent organization or company that owns/operates the ISP. For example, Comcast Corporation would be the ISP org for Xfinity internet service. This attribute helps identify the ultimate provider when ISPs operate under different brand names.
Geo Location	`location`	Geo Location[]	Entity:`GEO_LOCATION` The geographical location of the endpoint.
MAC Address	`mac`	MAC Address	Entity:`MAC_ADDRESS` The Media Access Control (MAC) address of the endpoint.
Name	`name`	String	The short name of the endpoint.
Namespace PID	`namespace_pid`	Integer	Group:`context` If running under a process namespace (such as in a container), the process identifier within that process namespace.
OS	`os`	Operating System (OS)[]	The endpoint operating system.
Owner	`owner`	User[]	Entity:`USER` The identity of the service or user account that owns the endpoint or was last logged into it.
Port	`port`	Port	Entity:`PORT` The port used for communication within the network connection.
Proxy Endpoint	`proxy_endpoint`	Network Proxy Endpoint[]	Entity:`ENDPOINT` The network proxy information pertaining to a specific endpoint. This can be used to describe information pertaining to network address translation (NAT).
Raw Data	`raw_data`	JSON	Group:`context` The event data as received from the event source.
Record ID	`record_id`	String	Group:`primary` Unique identifier for the object
Subnet UID	`subnet_uid`	String	The unique identifier of a virtual subnet.
Service Name	`svc_name`	String	The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service.
Type	`type`	String	The network endpoint type. For example: unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other.
Type ID	`type_id`	Integer	The network endpoint type ID. `1`: Server (`SERVER`) `2`: Desktop (`DESKTOP`) `3`: Laptop (`LAPTOP`) `4`: Tablet (`TABLET`) `5`: Mobile (`MOBILE`) `6`: Virtual (`VIRTUAL`) `7`: IOT (`IOT`) `8`: Browser (`BROWSER`) `9`: Firewall (`FIREWALL`) `10`: Switch (`SWITCH`) `11`: Hub (`HUB`) `12`: Router (`ROUTER`) `13`: IDS (`IDS`) `14`: IPS (`IPS`) `15`: Load Balancer (`LOAD_BALANCER`) `0`: Unknown (`UNKNOWN`) `99`: Other (`OTHER`)
Unique ID	`uid`	String	The unique identifier of the endpoint.
Unmapped	`unmapped`	Unmapped[]	Data from the source that was not mapped into the schema.
VLAN	`vlan_uid`	String	The Virtual LAN identifier.
VPC UID	`vpc_uid`	String	The unique identifier of the Virtual Private Cloud (VPC).
Network Zone	`zone`	String	The network zone or LAN segment.

Relationships

Inbound Relationships

These objects and events reference Network Endpoint in their attributes:

Outbound Relationships

Network Endpoint references the following objects and events in its attributes:

This page describes qdm-1.5.1+ocsf-1.6.0