Device

The Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network.

• Extends: endpoint

Attributes

type_id

• Type: integer_t
• Requirement: required
• Values:
  • 0 - Unknown: The type is unknown.
  • 1 - Server: A server.
  • 2 - Desktop: A desktop computer.
  • 3 - Laptop: A laptop computer.
  • 4 - Tablet: A tablet computer.
  • 5 - Mobile: A mobile phone.
  • 6 - Virtual: A virtual machine.
  • 7 - IOT: An IOT (Internet of Things) device.
  • 8 - Browser: A web browser.
  • 9 - Firewall: A networking firewall.
  • 10 - Switch: A networking switch.
  • 11 - Hub: A networking hub.
  • 12 - Router: A networking router.
  • 13 - IDS: An intrusion detection system.
  • 14 - IPS: An intrusion prevention system.
  • 15 - Load Balancer: A Load Balancer device.
  • 99 - Other: The type is not mapped. See the type attribute, which contains a data source specific value.

The device type ID.

container

• Type: container
• Requirement: recommended

The information describing an instance of a container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd.

hostname

• Type: hostname_t
• Requirement: recommended

The device hostname.

instance_uid

• Type: string_t
• Requirement: recommended

The unique identifier of a VM instance.

interface_name

• Type: string_t
• Requirement: recommended

The name of the network interface (e.g. eth2).

interface_uid

• Type: string_t
• Requirement: recommended

The unique identifier of the network interface.

namespace_pid

• Type: integer_t
• Requirement: recommended

If running under a process namespace (such as in a container), the process identifier within that process namespace.

owner

• Type: user
• Requirement: recommended

The identity of the service or user account that owns the endpoint or was last logged into it.

region

• Type: string_t
• Requirement: recommended

The region where the virtual machine is located. For example, an AWS Region.

type

• Type: string_t
• Requirement: recommended

The device type. For example: unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other.

uid

• Type: string_t
• Requirement: recommended

The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN.

vendor_name

• Type: string_t
• Requirement: recommended

The vendor for the device. For example Dell or Lenovo.

agent_list

• Type: agent
• Requirement: optional

A list of agent objects associated with a device, endpoint, or resource.

autoscale_uid

• Type: string_t
• Requirement: optional

The unique identifier of the cloud autoscale configuration.

boot_time

• Type: timestamp_t
• Requirement: optional

The time the system was booted.

boot_time_dt

• Type: datetime_t
• Requirement: optional

The time the system was booted.

created_time

• Type: timestamp_t
• Requirement: optional

The time when the device was known to have been created.

created_time_dt

• Type: datetime_t
• Requirement: optional

The time when the device was known to have been created.

desc

• Type: string_t
• Requirement: optional

The description of the device, ordinarily as reported by the operating system.

domain

• Type: string_t
• Requirement: optional

The network domain where the device resides. For example: work.example.com.

first_seen_time

• Type: timestamp_t
• Requirement: optional

The initial discovery time of the device.

first_seen_time_dt

• Type: datetime_t
• Requirement: optional

The initial discovery time of the device.

groups

• Type: group
• Requirement: optional

The group names to which the device belongs. For example: ["Windows Laptops", "Engineering"].

hw_info

• Type: device_hw_info
• Requirement: optional

The endpoint hardware information.

hypervisor

• Type: string_t
• Requirement: optional

The name of the hypervisor running on the device. For example, Xen, VMware, Hyper-V, VirtualBox, etc.

image

• Type: image
• Requirement: optional

The image used as a template to run the virtual machine.

imei

• Type: string_t
• Requirement: optional

The International Mobile Equipment Identity that is associated with the device.

imei_list

• Type: string_t
• Requirement: optional

The International Mobile Equipment Identity values that are associated with the device.

ip

• Type: ip_t
• Requirement: optional

The device IP address, in either IPv4 or IPv6 format.

is_compliant

• Type: boolean_t
• Requirement: optional

The event occurred on a compliant device.

is_managed

• Type: boolean_t
• Requirement: optional

The event occurred on a managed device.

is_personal

• Type: boolean_t
• Requirement: optional

The event occurred on a personal device.

is_trusted

• Type: boolean_t
• Requirement: optional

The event occurred on a trusted device.

last_seen_time

• Type: timestamp_t
• Requirement: optional

The most recent discovery time of the device.

last_seen_time_dt

• Type: datetime_t
• Requirement: optional

The most recent discovery time of the device.

location

• Type: location
• Requirement: optional

The geographical location of the device.

mac

• Type: mac_t
• Requirement: optional

The Media Access Control (MAC) address of the endpoint.

model

• Type: string_t
• Requirement: optional

The model of the device. For example ThinkPad X1 Carbon.

modified_time

• Type: timestamp_t
• Requirement: optional

The time when the device was last known to have been modified.

modified_time_dt

• Type: datetime_t
• Requirement: optional

The time when the device was last known to have been modified.

name

• Type: string_t
• Requirement: optional

The alternate device name, ordinarily as assigned by an administrator.

Note: The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234.

network_interfaces

• Type: network_interface
• Requirement: optional

The network interfaces that are associated with the device, one for each unique MAC address/IP address/hostname/name combination.

Note: The first element of the array is the network information that pertains to the event.

org

• Type: organization
• Requirement: optional

Organization and org unit related to the device.

os

• Type: os
• Requirement: optional

The endpoint operating system.

os_machine_uuid

• Type: uuid_t
• Requirement: optional

The operating system assigned Machine ID. In Windows, this is the value stored at the registry path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid. In Linux, this is stored in the file: /etc/machine-id.

risk_level

• Type: string_t
• Requirement: optional

The risk level, normalized to the caption of the risk_level_id value.

risk_level_id

• Type: integer_t
• Requirement: optional
• Values:
  • 0 - Info
  • 1 - Low
  • 2 - Medium
  • 3 - High
  • 4 - Critical
  • 99 - Other: The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.

The normalized risk level id.

risk_score

• Type: integer_t
• Requirement: optional

The risk score as reported by the event source.

subnet

• Type: subnet_t
• Requirement: optional

The subnet mask.

subnet_uid

• Type: string_t
• Requirement: optional

The unique identifier of a virtual subnet.

uid_alt

• Type: string_t
• Requirement: optional

An alternate unique identifier of the device if any. For example the ActiveDirectory DN.

vlan_uid

• Type: string_t
• Requirement: optional

The Virtual LAN identifier.

vpc_uid

• Type: string_t
• Requirement: optional

The unique identifier of the Virtual Private Cloud (VPC).

zone

• Type: string_t
• Requirement: optional

The network zone or LAN segment.

Constraints

At least one of: ip, uid, name, hostname, instance_uid, interface_uid, interface_name

Used By

• account_change
• admin_group_query
• airborne_broadcast_activity
• api_activity
• application_error
• application_lifecycle
• authentication
• authorize_session
• base_event
• cloud_resources_inventory_info
• compliance_finding
• config_state
• data_security_finding
• datastore_activity
• detection_finding
• device_config_state_change
• dhcp_activity
• dns_activity
• drone_flights_activity
• email_activity
• email_file_activity
• email_url_activity
• entity_management
• event_log_actvity
• file_activity
• file_hosting
• file_query
• file_remediation_activity
• folder_query
• ftp_activity
• group_management
• http_activity
• incident_finding
• inventory_info
• job_query
• kernel_activity
• kernel_extension_activity
• kernel_object_query
• memory_activity
• module_activity
• module_query
• network_activity
• network_connection_query
• network_file_activity
• network_remediation_activity
• networks_query
• ntp_activity
• osint_inventory_info
• patch_state
• peripheral_device_query
• process_activity
• process_query
• process_remediation_activity
• rdp_activity
• remediation_activity
• scan_activity
• scheduled_job_activity
• script_activity
• security_finding
• service_query
• session_query
• smb_activity
• software_info
• ssh_activity
• startup_item_query
• tunnel_activity
• user_access
• user_inventory
• user_query
• vulnerability_finding
• web_resource_access_activity
• web_resources_activity
• win/prefetch_query
• win/registry_key_activity
• win/registry_key_query
• win/registry_value_activity
• win/registry_value_query
• win/windows_resource_activity
• win/windows_service_activity