Class: Agent
An Agent (also known as a Sensor) is typically installed on an Operating System
(OS) and serves as a specialized software component that can be designed to
monitor, detect, collect, archive, or take action. These activities and
possible actions are defined by the upstream system controlling the Agent and
its intended purpose. For instance, an Agent can include Endpoint Detection &
Response (EDR) agents, backup/disaster recovery sensors, Application
Performance Monitoring or profiling sensors, and similar software.
URI: ocsf:Agent
classDiagram
class Agent
click Agent href "../Agent/"
Object <|-- Agent
click Object href "../Object/"
Agent : name
Agent : policies
Agent --> "*" Policy : policies
click Policy href "../Policy/"
Agent : type
Agent : type_id
Agent --> "0..1 _recommended_" AgentTypeIdEnum : type_id
click AgentTypeIdEnum href "../AgentTypeIdEnum/"
Agent : uid
Agent : uid_alt
Agent : vendor_name
Agent : version
Inheritance
- OcsfObject
- Object
- Agent
- Object
Slots
| Name | Cardinality and Range | Description | Inheritance |
|---|---|---|---|
| name | 0..1 recommended String |
The name of the agent or sensor | direct |
| policies | * Policy |
Describes the various policies that may be applied or enforced by an agent or | direct |
| type | 0..1 String |
The normalized caption of the type_id value for the agent or sensor | direct |
| type_id | 0..1 recommended AgentTypeIdEnum |
The normalized representation of an agent or sensor | direct |
| uid | 0..1 recommended String |
The UID of the agent or sensor, sometimes known as a Sensor ID or | direct |
| uid_alt | 0..1 String |
An alternative or contextual identifier for the agent or sensor, such as a | direct |
| vendor_name | 0..1 String |
The company or author who created the agent or sensor | direct |
| version | 0..1 String |
The semantic version of the agent or sensor, e | direct |
Usages
| used by | used in | type | used |
|---|---|---|---|
| Databucket | agent_list | range | Agent |
| Endpoint | agent_list | range | Agent |
| NetworkEndpoint | agent_list | range | Agent |
| NetworkProxy | agent_list | range | Agent |
| ResourceDetails | agent_list | range | Agent |
| Device | agent_list | range | Agent |
Rules
| Rule Applied | Preconditions | Postconditions | Elseconditions |
|---|---|---|---|
| any_of | [{'slot_conditions': {'uid': {'required': True}}}, {'slot_conditions': {}}] |
In Subsets
Aliases
- Agent
See Also
Notes
- D3FEND™ Ontology d3f:Sensor. — https://d3fend.mitre.org/dao/artifact/d3f:Sensor/
Identifier and Mapping Information
Annotations
| property | value |
|---|---|
| ocsf_constraints | {"at_least_one": ["uid", "name"]} |
Schema Source
- from schema: https://w3id.org/lmodel/ocsf
Mappings
| Mapping Type | Mapped Value |
|---|---|
| self | ocsf:Agent |
| native | ocsf:Agent |
LinkML Source
Direct
name: Agent
annotations:
ocsf_constraints:
tag: ocsf_constraints
value: '{"at_least_one": ["uid", "name"]}'
description: 'An Agent (also known as a Sensor) is typically installed on an Operating
System
(OS) and serves as a specialized software component that can be designed to
monitor, detect, collect, archive, or take action. These activities and
possible actions are defined by the upstream system controlling the Agent and
its intended purpose. For instance, an Agent can include Endpoint Detection &
Response (EDR) agents, backup/disaster recovery sensors, Application
Performance Monitoring or profiling sensors, and similar software.'
notes:
- 'D3FEND™ Ontology d3f:Sensor. —
https://d3fend.mitre.org/dao/artifact/d3f:Sensor/'
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://d3fend.mitre.org/dao/artifact/d3f:Sensor/
aliases:
- Agent
is_a: Object
slots:
- name
- policies
- type
- type_id
- uid
- uid_alt
- vendor_name
- version
slot_usage:
name:
name: name
description: 'The name of the agent or sensor. For example: <code>AWS SSM Agent</code>.'
recommended: true
policies:
name: policies
description: 'Describes the various policies that may be applied or enforced by
an agent or
sensor. E.g., Conditional Access, prevention, auto-update, tamper protection,
destination configuration, etc.'
type:
name: type
description: 'The normalized caption of the type_id value for the agent or sensor.
In the
case of ''Other'' or ''Unknown'', it is defined by the event source.'
type_id:
name: type_id
description: 'The normalized representation of an agent or sensor. E.g., EDR,
vulnerability
management, APM, backup & recovery, etc.'
range: AgentTypeIdEnum
recommended: true
uid:
name: uid
description: 'The UID of the agent or sensor, sometimes known as a Sensor ID or
<code>aid</code>.'
recommended: true
uid_alt:
name: uid_alt
description: 'An alternative or contextual identifier for the agent or sensor,
such as a
configuration, organization, or license UID.'
vendor_name:
name: vendor_name
description: 'The company or author who created the agent or sensor. For example:
<code>Crowdstrike</code>.'
version:
name: version
description: The semantic version of the agent or sensor, e.g., <code>7.101.50.0</code>.
rules:
- postconditions:
any_of:
- slot_conditions:
uid:
name: uid
required: true
- slot_conditions:
name:
name: name
required: true
description: 'OCSF at_least_one: at least one of [''uid'', ''name''] must be set.'
Induced
name: Agent
annotations:
ocsf_constraints:
tag: ocsf_constraints
value: '{"at_least_one": ["uid", "name"]}'
description: 'An Agent (also known as a Sensor) is typically installed on an Operating
System
(OS) and serves as a specialized software component that can be designed to
monitor, detect, collect, archive, or take action. These activities and
possible actions are defined by the upstream system controlling the Agent and
its intended purpose. For instance, an Agent can include Endpoint Detection &
Response (EDR) agents, backup/disaster recovery sensors, Application
Performance Monitoring or profiling sensors, and similar software.'
notes:
- 'D3FEND™ Ontology d3f:Sensor. —
https://d3fend.mitre.org/dao/artifact/d3f:Sensor/'
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://d3fend.mitre.org/dao/artifact/d3f:Sensor/
aliases:
- Agent
is_a: Object
slot_usage:
name:
name: name
description: 'The name of the agent or sensor. For example: <code>AWS SSM Agent</code>.'
recommended: true
policies:
name: policies
description: 'Describes the various policies that may be applied or enforced by
an agent or
sensor. E.g., Conditional Access, prevention, auto-update, tamper protection,
destination configuration, etc.'
type:
name: type
description: 'The normalized caption of the type_id value for the agent or sensor.
In the
case of ''Other'' or ''Unknown'', it is defined by the event source.'
type_id:
name: type_id
description: 'The normalized representation of an agent or sensor. E.g., EDR,
vulnerability
management, APM, backup & recovery, etc.'
range: AgentTypeIdEnum
recommended: true
uid:
name: uid
description: 'The UID of the agent or sensor, sometimes known as a Sensor ID or
<code>aid</code>.'
recommended: true
uid_alt:
name: uid_alt
description: 'An alternative or contextual identifier for the agent or sensor,
such as a
configuration, organization, or license UID.'
vendor_name:
name: vendor_name
description: 'The company or author who created the agent or sensor. For example:
<code>Crowdstrike</code>.'
version:
name: version
description: The semantic version of the agent or sensor, e.g., <code>7.101.50.0</code>.
attributes:
name:
name: name
description: 'The name of the agent or sensor. For example: <code>AWS SSM Agent</code>.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Name
rank: 1000
alias: name
owner: Agent
domain_of:
- AnalysisTarget
- Observable
- Os
- Osint
- Package
- Parameter
- PrivilegeInfo
- San
- Scim
- Script
- ServicePrivilegeAnalysis
- SoftwareComponent
- Sso
- StartupItem
- ThreatActor
- Token
- Entity
- Resource
- Account
- Agent
- AiModel
- Aircraft
- Analytic
- ApplicationObject
- Assessment
- AutonomousSystem
- Campaign
- Check
- CisBenchmark
- CisBenchmarkResult
- CisControl
- ClassifierDetails
- Container
- D3fTactic
- D3fTechnique
- Database
- Databucket
- DomainContact
- Edge
- Endpoint
- Enrichment
- EnvironmentVariable
- Evidences
- Extension
- Feature
- File
- Graph
- Group
- HttpCookie
- HttpHeader
- Idp
- Image
- Job
- Kernel
- KeyValueObject
- LoadBalancer
- Logger
- Malware
- ManagedEntity
- MessageContext
- Metric
- Mitigation
- NetworkInterface
- Node
- Organization
- PeripheralDevice
- Policy
- ProcessEntity
- Product
- QueryInfo
- Reporter
- ResourceDetails
- Rule
- Scan
- Service
- SubTechnique
- Table
- Tactic
- Technique
- Trait
- TransformationInfo
- UnmannedAerialSystem
- User
- WebResource
- Device
- FtpActivity
- RegValue
- WinResource
- WinService
- PrefetchQuery
range: string
recommended: true
policies:
name: policies
description: 'Describes the various policies that may be applied or enforced by
an agent or
sensor. E.g., Conditional Access, prevention, auto-update, tamper protection,
destination configuration, etc.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Policies
rank: 1000
alias: policies
owner: Agent
domain_of:
- Agent
- AccountChange
range: Policy
multivalued: true
type:
name: type
description: 'The normalized caption of the type_id value for the agent or sensor.
In the
case of ''Other'' or ''Unknown'', it is defined by the event source.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Type
rank: 1000
alias: type
owner: Agent
domain_of:
- AnalysisTarget
- Observable
- Os
- Osint
- Package
- PrivilegeInfo
- ProgrammaticCredential
- RelatedEvent
- San
- Sbom
- Script
- SoftwareComponent
- StartupItem
- ThreatActor
- Ticket
- Timespan
- TlsExtension
- Token
- Dns
- Resource
- Account
- Agent
- Analytic
- ApplicationObject
- AuthenticationToken
- ClassifierDetails
- Cve
- Database
- Databucket
- DiscoveryDetails
- DnsAnswer
- DomainContact
- EncryptionDetails
- Endpoint
- Enrichment
- File
- Graph
- Group
- Ja4Fingerprint
- Kernel
- ManagedEntity
- Metadata
- Module
- NetworkEndpoint
- NetworkInterface
- Node
- PeripheralDevice
- Policy
- Rule
- Scan
- Trait
- UnmannedAerialSystem
- UnmannedSystemOperatingArea
- User
- WebResource
- Device
- DatastoreActivity
- FtpActivity
- RegValue
- WinResource
range: string
type_id:
name: type_id
annotations:
sibling:
tag: sibling
value: type
description: 'The normalized representation of an agent or sensor. E.g., EDR,
vulnerability
management, APM, backup & recovery, etc.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Type ID
rank: 1000
alias: type_id
owner: Agent
domain_of:
- Observable
- Os
- Osint
- Package
- PrivilegeInfo
- Sbom
- Script
- SoftwareComponent
- StartupItem
- ThreatActor
- Ticket
- Timespan
- TlsExtension
- Token
- Account
- Agent
- Analytic
- AuthenticationToken
- Database
- Databucket
- DomainContact
- Endpoint
- File
- Ja4Fingerprint
- Kernel
- ManagedEntity
- NetworkEndpoint
- NetworkInterface
- PeripheralDevice
- Scan
- UnmannedAerialSystem
- UnmannedSystemOperatingArea
- User
- Device
- DatastoreActivity
- RegValue
- WinResource
range: AgentTypeIdEnum
recommended: true
uid:
name: uid
description: 'The UID of the agent or sensor, sometimes known as a Sensor ID or
<code>aid</code>.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Unique ID
rank: 1000
alias: uid
owner: Agent
domain_of:
- Osint
- Package
- ProgrammaticCredential
- RelatedEvent
- Request
- Sbom
- Scim
- Script
- Session
- Span
- Sso
- Ticket
- Token
- Trace
- Entity
- Resource
- Account
- Advisory
- Agent
- AiModel
- Aircraft
- Analytic
- ApplicationObject
- Assessment
- Certificate
- Check
- ClassifierDetails
- Container
- Cve
- Cwe
- D3fTactic
- D3fTechnique
- DataClassification
- Database
- Databucket
- DomainContact
- Edge
- Email
- Endpoint
- Evidences
- Extension
- Feature
- File
- FindingObject
- FindingInfo
- Graph
- Group
- HttpRequest
- Idp
- Image
- KbArticle
- LoadBalancer
- Logger
- Malware
- ManagedEntity
- MessageContext
- Metadata
- Mitigation
- NetworkConnectionInfo
- NetworkEndpoint
- NetworkInterface
- Node
- Organization
- PeripheralDevice
- Policy
- ProcessEntity
- Product
- QueryInfo
- Reporter
- Rule
- Scan
- Service
- SubTechnique
- Table
- Tactic
- Technique
- Trait
- TransformationInfo
- UnmannedAerialSystem
- User
- WebResource
- Device
- WinResource
range: string
recommended: true
uid_alt:
name: uid_alt
description: 'An alternative or contextual identifier for the agent or sensor,
such as a
configuration, organization, or license UID.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Alternate ID
rank: 1000
alias: uid_alt
owner: Agent
domain_of:
- Scim
- Session
- Resource
- Agent
- Aircraft
- ApplicationObject
- FindingInfo
- Group
- UnmannedAerialSystem
- User
- Device
range: string
vendor_name:
name: vendor_name
description: 'The company or author who created the agent or sensor. For example:
<code>Crowdstrike</code>.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Vendor Name
rank: 1000
alias: vendor_name
owner: Agent
domain_of:
- Osint
- Package
- Scim
- Sso
- Vulnerability
- Agent
- Cvss
- DeviceHwInfo
- GpuInfo
- PeripheralDevice
- Product
- Device
range: string
version:
name: version
description: The semantic version of the agent or sensor, e.g., <code>7.101.50.0</code>.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Version
rank: 1000
alias: version
owner: Agent
domain_of:
- Os
- Package
- RpcInterface
- Sbom
- Scim
- SoftwareComponent
- Tls
- Agent
- AiModel
- Analytic
- Api
- ApplicationObject
- Attack
- Certificate
- Check
- CisControl
- CisCsc
- Cvss
- D3fend
- Databucket
- Epss
- Extension
- Feature
- File
- HttpRequest
- Logger
- ManagedEntity
- Metadata
- Policy
- Product
- ResourceDetails
- Rule
- Service
- NtpActivity
range: string
rules:
- postconditions:
any_of:
- slot_conditions:
uid:
name: uid
required: true
- slot_conditions:
name:
name: name
required: true
description: 'OCSF at_least_one: at least one of [''uid'', ''name''] must be set.'