Device [20] object extends endpoint
The Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network.
Note: a superscript "O" after a caption indicates attribute is an observable.
References
| Name | Caption | Requirement | Type | Description | ||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| agent_list | Agent List | Optional | Agent Array | A list of agent objects associated with a device, endpoint, or resource. |
||||||||||||||||||||||||||||||||||
| autoscale_uid | Autoscale UID | Optional | String | The unique identifier of the cloud autoscale configuration. | ||||||||||||||||||||||||||||||||||
| boot_time | Boot Time | Optional | Timestamp | The time the system was booted. | ||||||||||||||||||||||||||||||||||
| boot_time_dt | Boot Time | Optional | Datetime | The time the system was booted. | ||||||||||||||||||||||||||||||||||
| container | Container O | Recommended | Container | The information describing an instance of a container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd. | ||||||||||||||||||||||||||||||||||
| created_time | Created Time | Optional | Timestamp | The time when the device was known to have been created. | ||||||||||||||||||||||||||||||||||
| created_time_dt | Created Time | Optional | Datetime | The time when the device was known to have been created. | ||||||||||||||||||||||||||||||||||
| desc | Description | Optional | String | The description of the device, ordinarily as reported by the operating system. | ||||||||||||||||||||||||||||||||||
| domain | Domain | Optional | String | The network domain where the device resides. For example: work.example.com. |
||||||||||||||||||||||||||||||||||
| first_seen_time | First Seen | Optional | Timestamp | The initial discovery time of the device. | ||||||||||||||||||||||||||||||||||
| first_seen_time_dt | First Seen | Optional | Datetime | The initial discovery time of the device. | ||||||||||||||||||||||||||||||||||
| groups | Groups | Optional | Group Array | The group names to which the device belongs. For example: ["Windows Laptops", "Engineering"]. |
||||||||||||||||||||||||||||||||||
| hostname | Hostname O | Recommended (†) | Hostname | The device hostname. | ||||||||||||||||||||||||||||||||||
| hw_info | Hardware Info | Optional | Device Hardware Info | The endpoint hardware information. | ||||||||||||||||||||||||||||||||||
| hypervisor | Hypervisor | Optional | String | The name of the hypervisor running on the device. For example, Xen, VMware, Hyper-V, VirtualBox, etc. |
||||||||||||||||||||||||||||||||||
| image | Image | Optional | Image | The image used as a template to run the virtual machine. | ||||||||||||||||||||||||||||||||||
| imei | IMEI | Optional | String | The International Mobile Equipment Identity that is associated with the device. DEPRECATED since v1.4.0 Use the imei_list attribute instead. |
||||||||||||||||||||||||||||||||||
| imei_list | IMEI List | Optional | String Array | The International Mobile Equipment Identity values that are associated with the device. | ||||||||||||||||||||||||||||||||||
| instance_uid | Instance ID | Recommended (†) | String | The unique identifier of a VM instance. | ||||||||||||||||||||||||||||||||||
| interface_name | Network Interface Name | Recommended (†) | String | The name of the network interface (e.g. eth2). | ||||||||||||||||||||||||||||||||||
| interface_uid | Network Interface ID | Recommended (†) | String | The unique identifier of the network interface. | ||||||||||||||||||||||||||||||||||
| ip | IP Address O | Optional (†) | IP Address | The device IP address, in either IPv4 or IPv6 format. | ||||||||||||||||||||||||||||||||||
| is_compliant | Compliant Device | Optional | Boolean | The event occurred on a compliant device. | ||||||||||||||||||||||||||||||||||
| is_managed | Managed Device | Optional | Boolean | The event occurred on a managed device. | ||||||||||||||||||||||||||||||||||
| is_personal | Personal Device | Optional | Boolean | The event occurred on a personal device. | ||||||||||||||||||||||||||||||||||
| is_trusted | Trusted Device | Optional | Boolean | The event occurred on a trusted device. | ||||||||||||||||||||||||||||||||||
| last_seen_time | Last Seen | Optional | Timestamp | The most recent discovery time of the device. | ||||||||||||||||||||||||||||||||||
| last_seen_time_dt | Last Seen | Optional | Datetime | The most recent discovery time of the device. | ||||||||||||||||||||||||||||||||||
| location | Geo Location O | Optional | Geo Location | The geographical location of the device. | ||||||||||||||||||||||||||||||||||
| mac | MAC Address O | Optional | MAC Address | The Media Access Control (MAC) address of the endpoint. | ||||||||||||||||||||||||||||||||||
| model | Model | Optional | String | The model of the device. For example ThinkPad X1 Carbon. |
||||||||||||||||||||||||||||||||||
| modified_time | Modified Time | Optional | Timestamp | The time when the device was last known to have been modified. | ||||||||||||||||||||||||||||||||||
| modified_time_dt | Modified Time | Optional | Datetime | The time when the device was last known to have been modified. | ||||||||||||||||||||||||||||||||||
| name | Name | Optional (†) | String | The alternate device name, ordinarily as assigned by an administrator. Note: The Name could be any other string that helps to identify the device, such as a phone number; for example |
||||||||||||||||||||||||||||||||||
| namespace_pid | Namespace PID | Recommended | Integer | If running under a process namespace (such as in a container), the process identifier within that process namespace. | ||||||||||||||||||||||||||||||||||
| network_interfaces | Network Interfaces | Optional | Network Interface Array | The network interfaces that are associated with the device, one for each unique MAC address/IP address/hostname/name combination. Note: The first element of the array is the network information that pertains to the event. |
||||||||||||||||||||||||||||||||||
| org | Organization | Optional | Organization | Organization and org unit related to the device. | ||||||||||||||||||||||||||||||||||
| os | OS | Optional | Operating System (OS) | The endpoint operating system. | ||||||||||||||||||||||||||||||||||
| os_machine_uuid | OS Machine UUID | Optional | UUID | The operating system assigned Machine ID. In Windows, this is the value stored at the registry path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid. In Linux, this is stored in the file: /etc/machine-id. |
||||||||||||||||||||||||||||||||||
| owner | Owner O | Recommended | User | The identity of the service or user account that owns the endpoint or was last logged into it. | ||||||||||||||||||||||||||||||||||
| region | Region | Recommended | String | The region where the virtual machine is located. For example, an AWS Region. | ||||||||||||||||||||||||||||||||||
| risk_level | Risk Level | Optional | String | The risk level, normalized to the caption of the risk_level_id value. This is the string sibling of enum attribute risk_level_id. |
||||||||||||||||||||||||||||||||||
| risk_level_id | Risk Level ID | Optional | Integer | The normalized risk level id.
This is an enum attribute; its string sibling is risk_level. |
||||||||||||||||||||||||||||||||||
| risk_score | Risk Score | Optional | Integer | The risk score as reported by the event source. | ||||||||||||||||||||||||||||||||||
| subnet | Subnet O | Optional | Subnet | The subnet mask. | ||||||||||||||||||||||||||||||||||
| subnet_uid | Subnet UID | Optional | String | The unique identifier of a virtual subnet. | ||||||||||||||||||||||||||||||||||
| type | Type | Recommended | String | The device type. For example: unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. This is the string sibling of enum attribute type_id. |
||||||||||||||||||||||||||||||||||
| type_id | Type ID | Required | Integer | The device type ID.
This is an enum attribute; its string sibling is type. |
||||||||||||||||||||||||||||||||||
| uid | Unique ID | Recommended (†) | String | The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN. | ||||||||||||||||||||||||||||||||||
| uid_alt | Alternate ID | Optional | String | An alternate unique identifier of the device if any. For example the ActiveDirectory DN. | ||||||||||||||||||||||||||||||||||
| vendor_name | Vendor Name | Recommended | String | The vendor for the device. For example Dell or Lenovo. |
||||||||||||||||||||||||||||||||||
| vlan_uid | VLAN | Optional | String | The Virtual LAN identifier. | ||||||||||||||||||||||||||||||||||
| vpc_uid | VPC UID | Optional | String | The unique identifier of the Virtual Private Cloud (VPC). | ||||||||||||||||||||||||||||||||||
| zone | Network Zone | Optional | String | The network zone or LAN segment. |
Referenced By
- Base Event Class
- Attribute: device
- API Activity Class
- Attribute: device
- Account Change Class
- Attribute: device
- Admin Group Query Class
- Attribute: device
- Airborne Broadcast Activity Class
- Attribute: device
- Application Error Class
- Attribute: device
- Application Lifecycle Class
- Attribute: device
- Authentication Class
- Attribute: device
- Authorize Session Class
- Attribute: device
- Base Event Class
- Attribute: device
- Cloud Resources Inventory Info Class
- Attribute: device
- Compliance Finding Class
- Attribute: device
- DHCP Activity Class
- Attribute: device
- DNS Activity Class
- Attribute: device
- Data Security Finding Class
- Attribute: device
- Datastore Activity Class
- Attribute: device
- Detection Finding Class
- Attribute: device
- Device Config State Class
- Attribute: device
- Device Config State Change Class
- Attribute: device
- Device Inventory Info Class
- Attribute: device
- Drone Flights Activity Class
- Attribute: device
- Email Activity Class
- Attribute: device
- Email File Activity Class D
- Attribute: device
- Email URL Activity Class D
- Attribute: device
- Entity Management Class
- Attribute: device
- Event Log Activity Class
- Attribute: device
- FTP Activity Class
- Attribute: device
- File Hosting Activity Class
- Attribute: device
- File Query Class
- Attribute: device
- File Remediation Activity Class
- Attribute: device
- File System Activity Class
- Attribute: device
- Folder Query Class
- Attribute: device
- Group Management Class
- Attribute: device
- HTTP Activity Class
- Attribute: device
- Incident Finding Class
- Attribute: device
- Job Query Class
- Attribute: device
- Kernel Activity Class
- Attribute: device
- Kernel Extension Activity Class
- Attribute: device
- Kernel Object Query Class
- Attribute: device
- Memory Activity Class
- Attribute: device
- Module Activity Class
- Attribute: device
- Module Query Class
- Attribute: device
- NTP Activity Class
- Attribute: device
- Network Activity Class
- Attribute: device
- Network Connection Query Class
- Attribute: device
- Network File Activity Class D
- Attribute: device
- Network Remediation Activity Class
- Attribute: device
- Networks Query Class
- Attribute: device
- OSINT Inventory Info Class
- Attribute: device
- Operating System Patch State Class
- Attribute: device
- Peripheral Device Query Class
- Attribute: device
- Prefetch Query Class
- Attribute: device
- Process Activity Class
- Attribute: device
- Process Query Class
- Attribute: device
- Process Remediation Activity Class
- Attribute: device
- RDP Activity Class
- Attribute: device
- Registry Key Activity Class
- Attribute: device
- Registry Key Query Class
- Attribute: device
- Registry Value Activity Class
- Attribute: device
- Registry Value Query Class
- Attribute: device
- Remediation Activity Class
- Attribute: device
- SMB Activity Class
- Attribute: device
- SSH Activity Class
- Attribute: device
- Scan Activity Class
- Attribute: device
- Scheduled Job Activity Class
- Attribute: device
- Script Activity Class
- Attribute: device
- Security Finding Class D
- Attribute: device
- Service Query Class
- Attribute: device
- Software Inventory Info Class
- Attribute: device
- Startup Item Query Class
- Attribute: device
- Tunnel Activity Class
- Attribute: device
- User Access Management Class
- Attribute: device
- User Inventory Info Class
- Attribute: device
- User Query Class
- Attribute: device
- User Session Query Class
- Attribute: device
- Vulnerability Finding Class
- Attribute: device
- Web Resource Access Activity Class D
- Attribute: device
- Web Resources Activity Class
- Attribute: device
- Windows Resource Activity Class
- Attribute: device
- Windows Service Activity Class
- Attribute: device
- Authentication Factor Object
- Attribute: device
- Evidence Artifacts Object
- Attribute: device
- Logger Object
- Attribute: device
- Managed Entity Object
- Attribute: device
Constraints
† At least one of these attributes must be present: hostname, instance_uid, interface_name, interface_uid, ip, name, uid