Network Endpoint
The network endpoint object describes source or destination of a network connection.
Attributes
| Caption | Name | Type | Description |
|---|---|---|---|
| Agent List | agent_list |
Agent[] |
A list of agent objects associated with a device, endpoint, or resource.
|
| Autonomous System | autonomous_system |
Autonomous System[] | The Autonomous System details associated with an IP address. |
| Container | container |
Container[] | The information describing an instance of a container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd. |
| Domain | domain |
String | The name of the domain. |
| Hostname | hostname |
Hostname | The fully qualified name of the endpoint. |
| Hardware Info | hw_info |
Device Hardware Info[] | The endpoint hardware information. |
| Instance ID | instance_uid |
String | The unique identifier of a VM instance. |
| Network Interface Name | interface_name |
String | The name of the network interface (e.g. eth2). |
| Network Interface ID | interface_uid |
String | The unique identifier of the network interface. |
| Intermediate IP Addresses | intermediate_ips |
IP Address[] | The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. |
| IP Address | ip |
IP Address | The IP address of the endpoint, in either IPv4 or IPv6 format. |
| IP Intelligence | ip_intelligence |
IP Threat Intelligence[] | Insights from threat intelligence platforms about IP Address |
| Geo Location | location |
Geo Location[] | The geographical location of the endpoint. |
| MAC Address | mac |
MAC Address | The Media Access Control (MAC) address of the endpoint. |
| Name | name |
String | The short name of the endpoint. |
| Namespace PID | namespace_pid |
Integer | If running under a process namespace (such as in a container), the process identifier within that process namespace. |
| OS | os |
Operating System (OS)[] | The endpoint operating system. |
| Owner | owner |
User[] | The identity of the service or user account that owns the endpoint or was last logged into it. |
| Port | port |
Port | The port used for communication within the network connection. |
| Proxy Endpoint | proxy_endpoint |
Network Proxy Endpoint[] | The network proxy information pertaining to a specific endpoint. This can be used to describe information pertaining to network address translation (NAT). |
| Raw Data | raw_data |
JSON | The event data as received from the event source. |
| Record ID | record_id |
String | Unique identifier for the object |
| Reputation Scores | reputation |
Reputation[] |
Contains the original and normalized reputation scores.
|
| Subnet UID | subnet_uid |
String | The unique identifier of a virtual subnet. |
| Service Name | svc_name |
String | The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. |
| Type | type |
String |
The network endpoint type. For example: unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other.
|
| Type ID | type_id |
Integer |
The network endpoint type ID.
|
| Unique ID | uid |
String | The unique identifier of the endpoint. |
| Unmapped Data | unmapped |
Unmapped[] | The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source. |
| VLAN | vlan_uid |
String | The Virtual LAN identifier. |
| VPC UID | vpc_uid |
String | The unique identifier of the Virtual Private Cloud (VPC). |
| Network Zone | zone |
String | The network zone or LAN segment. |
Relationships
Inbound Relationships
These objects and events reference Network Endpoint in their attributes:
- Endpoint Connection
- API Activity
- Network Activity
- Network File Activity
- RDP Activity
- SMB Activity
- Web Resources Activity
- Entity Management
- Windows Evidence Artifacts
- Account Change
- Load Balancer
- HTTP Activity
- Authorize Session
- File Hosting Activity
- Group Management
- Web Resource Access Activity
- SSH Activity
- Event Log Activity
- Datastore Activity
- Email Activity
- Tunnel Activity
- Data Security Finding
- User Access Management
- FTP Activity
- NTP Activity
- Identity & Access Management
- DHCP Activity
- Authentication
- DNS Activity
- Network
Outbound Relationships
Network Endpoint references the following objects and events in its attributes:
- Unmapped
- Geo Location
- Network Proxy Endpoint
- Autonomous System
- Agent
- User
- Reputation
- Container
- Device Hardware Info
- Operating System (OS)
- IP Threat Intelligence
This page describes qdm-1.3.2+ocsf-1.3.0
Updated 5 months ago