Network Endpoint

The network endpoint object describes source or destination of a network connection.

Attributes

CaptionNameTypeDescription
Agent List agent_list Agent[] A list of agent objects associated with a device, endpoint, or resource.
Autonomous System autonomous_system Autonomous System[] The Autonomous System details associated with an IP address.
Container container Container[] The information describing an instance of a container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd.
Domain domain String The name of the domain.
Hostname hostname Hostname The fully qualified name of the endpoint.
Hardware Info hw_info Device Hardware Info[] The endpoint hardware information.
Instance ID instance_uid String The unique identifier of a VM instance.
Network Interface Name interface_name String The name of the network interface (e.g. eth2).
Network Interface ID interface_uid String The unique identifier of the network interface.
Intermediate IP Addresses intermediate_ips IP Address[] The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header.
IP Address ip IP Address The IP address of the endpoint, in either IPv4 or IPv6 format.
IP Intelligence ip_intelligence IP Threat Intelligence[] Insights from threat intelligence platforms about IP Address
Geo Location location Geo Location[] The geographical location of the endpoint.
MAC Address mac MAC Address The Media Access Control (MAC) address of the endpoint.
Name name String The short name of the endpoint.
Namespace PID namespace_pid Integer If running under a process namespace (such as in a container), the process identifier within that process namespace.
OS os Operating System (OS)[] The endpoint operating system.
Owner owner User[] The identity of the service or user account that owns the endpoint or was last logged into it.
Port port Port The port used for communication within the network connection.
Proxy Endpoint proxy_endpoint Network Proxy Endpoint[] The network proxy information pertaining to a specific endpoint. This can be used to describe information pertaining to network address translation (NAT).
Raw Data raw_data JSON The event data as received from the event source.
Record ID record_id String Unique identifier for the object
Reputation Scores reputation Reputation[] Contains the original and normalized reputation scores.

🚧 WARNING: DEPRECATED

Reputation Scores has been deprecated since 1.1.0. Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0

Subnet UID subnet_uid String The unique identifier of a virtual subnet.
Service Name svc_name String The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service.
Type type String The network endpoint type. For example: unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other.
Type ID type_id Integer The network endpoint type ID.
  • 0: Unknown (UNKNOWN)
  • 1: Server (SERVER)
  • 10: Switch (SWITCH)
  • 11: Hub (HUB)
  • 12: Router (ROUTER)
  • 13: IDS (IDS)
  • 14: IPS (IPS)
  • 15: Load Balancer (LOAD_BALANCER)
  • 2: Desktop (DESKTOP)
  • 3: Laptop (LAPTOP)
  • 4: Tablet (TABLET)
  • 5: Mobile (MOBILE)
  • 6: Virtual (VIRTUAL)
  • 7: IOT (IOT)
  • 8: Browser (BROWSER)
  • 9: Firewall (FIREWALL)
  • 99: Other (OTHER)
Unique ID uid String The unique identifier of the endpoint.
Unmapped Data unmapped Unmapped[] The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.
VLAN vlan_uid String The Virtual LAN identifier.
VPC UID vpc_uid String The unique identifier of the Virtual Private Cloud (VPC).
Network Zone zone String The network zone or LAN segment.

Relationships

Network Endpoint shown in context

Inbound Relationships

These objects and events reference Network Endpoint in their attributes:

Outbound Relationships

Network Endpoint references the following objects and events in its attributes:

This page describes qdm-1.3.2+ocsf-1.3.0