Network Endpoint
network_endpoint
The network endpoint object describes source or destination of a network connection.
Attributes
Caption | Name | Type | Description |
---|---|---|---|
Agent List | agent_list |
Agent[] |
A list of agent objects associated with a device, endpoint, or resource.
|
Autonomous System | autonomous_system |
Autonomous System[] | The Autonomous System details associated with an IP address. |
Container | container |
Container[] |
Entity:CONTAINER Group: context The information describing an instance of a container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd. |
Domain | domain |
String | The name of the domain that the endpoint belongs to or that corresponds to the endpoint. |
Hostname | hostname |
Hostname |
Entity:HOSTNAME The fully qualified name of the endpoint. |
Hardware Info | hw_info |
Device Hardware Info[] | The endpoint hardware information. |
Instance ID | instance_uid |
String | The unique identifier of a VM instance. |
Network Interface Name | interface_name |
String | The name of the network interface (e.g. eth2). |
Network Interface ID | interface_uid |
String | The unique identifier of the network interface. |
Intermediate IP Addresses | intermediate_ips |
IP Address[] |
Entity:IP_ADDRESS The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. |
IP Address | ip |
IP Address |
Entity:IP_ADDRESS The IP address of the endpoint, in either IPv4 or IPv6 format. |
IP Intelligence | ip_intelligence |
IP Threat Intelligence[] | Insights from threat intelligence platforms about IP Address |
Geo Location | location |
Geo Location[] |
Entity:GEO_LOCATION The geographical location of the endpoint. |
MAC Address | mac |
MAC Address |
Entity:MAC_ADDRESS The Media Access Control (MAC) address of the endpoint. |
Name | name |
String | The short name of the endpoint. |
Namespace PID | namespace_pid |
Integer |
Group:context If running under a process namespace (such as in a container), the process identifier within that process namespace. |
OS | os |
Operating System (OS)[] | The endpoint operating system. |
Owner | owner |
User[] |
Entity:USER The identity of the service or user account that owns the endpoint or was last logged into it. |
Port | port |
Port |
Entity:PORT The port used for communication within the network connection. |
Proxy Endpoint | proxy_endpoint |
Network Proxy Endpoint[] | The network proxy information pertaining to a specific endpoint. This can be used to describe information pertaining to network address translation (NAT). |
Raw Data | raw_data |
JSON |
Group:context The event data as received from the event source. |
Record ID | record_id |
String |
Group:primary Unique identifier for the object |
Subnet UID | subnet_uid |
String | The unique identifier of a virtual subnet. |
Service Name | svc_name |
String | The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. |
Type | type |
String |
The network endpoint type. For example: unknown , server , desktop , laptop , tablet , mobile , virtual , browser , or other .
|
Type ID | type_id |
Integer |
The network endpoint type ID.
|
Unique ID | uid |
String | The unique identifier of the endpoint. |
Unmapped | unmapped |
Unmapped[] | Data from the source that was not mapped into the schema. |
VLAN | vlan_uid |
String | The Virtual LAN identifier. |
VPC UID | vpc_uid |
String | The unique identifier of the Virtual Private Cloud (VPC). |
Network Zone | zone |
String | The network zone or LAN segment. |
Relationships
Inbound Relationships
These objects and events reference Network Endpoint in their attributes:
- RDP Activity
- Load Balancer
- Authorize Session
- Web Resource Access Activity
- Evidence Artifacts
- HTTP Activity
- Entity Management
- Datastore Activity
- DNS Activity
- FTP Activity
- Web Resources Activity
- Data Security Finding
- File Hosting Activity
- Tunnel Activity
- Authentication
- User Access Management
- SMB Activity
- API Activity
- Network
- DHCP Activity
- Drone Flights Activity
- Group Management
- Airborne Broadcast Activity
- SSH Activity
- Unmanned Systems
- NTP Activity
- Network Activity
- Network File Activity
- Endpoint Connection
- Account Change
- Email Activity
- Identity & Access Management
- Event Log Activity
Outbound Relationships
Network Endpoint references the following objects and events in its attributes:
- IP Threat Intelligence
- Agent
- Device Hardware Info
- Container
- Network Proxy Endpoint
- Autonomous System
- Unmapped
- Geo Location
- Operating System (OS)
- User
This page describes ocsf-1.4.0
Updated 3 days ago