Class: Device
The Device object represents an addressable computer system or host, which is
typically connected to a computer network and participates in the transmission
or processing of data within the computer network.
URI: ocsf:Device
classDiagram
class Device
click Device href "../Device/"
Endpoint <|-- Device
click Endpoint href "../Endpoint/"
Device : agent_list
Device --> "*" Agent : agent_list
click Agent href "../Agent/"
Device : autoscale_uid
Device : boot_time
Device : boot_uid
Device : container
Device --> "0..1 _recommended_" Container : container
click Container href "../Container/"
Device : created_time
Device : desc
Device : domain
Device : eid
Device : first_seen_time
Device : groups
Device --> "*" Group : groups
click Group href "../Group/"
Device : hostname
Device : hw_info
Device --> "0..1" DeviceHwInfo : hw_info
click DeviceHwInfo href "../DeviceHwInfo/"
Device : hypervisor
Device : iccid
Device : image
Device --> "0..1" Image : image
click Image href "../Image/"
Device : imei
Device : imei_list
Device : instance_uid
Device : interface_name
Device : interface_uid
Device : ip
Device : is_backed_up
Device : is_compliant
Device : is_managed
Device : is_mobile_account_active
Device : is_personal
Device : is_shared
Device : is_supervised
Device : is_trusted
Device : last_seen_time
Device : location
Device --> "0..1" Location : location
click Location href "../Location/"
Device : mac
Device : mac_vendor
Device : meid
Device : model
Device : modified_time
Device : name
Device : namespace_pid
Device : network_interfaces
Device --> "*" NetworkInterface : network_interfaces
click NetworkInterface href "../NetworkInterface/"
Device : org
Device --> "0..1" Organization : org
click Organization href "../Organization/"
Device : os
Device --> "0..1" Os : os
click Os href "../Os/"
Device : os_machine_uuid
Device : owner
Device --> "0..1 _recommended_" User : owner
click User href "../User/"
Device : pool
Device --> "0..1" Group : pool
click Group href "../Group/"
Device : region
Device : risk_level
Device : risk_level_id
Device --> "0..1" RiskLevelIdEnum : risk_level_id
click RiskLevelIdEnum href "../RiskLevelIdEnum/"
Device : risk_score
Device : subnet
Device : subnet_uid
Device : type
Device : type_id
Device --> "1 _recommended_" EndpointTypeIdEnum : type_id
click EndpointTypeIdEnum href "../EndpointTypeIdEnum/"
Device : udid
Device : uid
Device : uid_alt
Device : vendor_name
Device : vlan_uid
Device : vpc_uid
Device : zone
Inheritance
- OcsfObject
- Object
- Entity
- Endpoint [ ContainerProfile]
- Device
- Endpoint [ ContainerProfile]
- Entity
- Object
Slots
| Name | Cardinality and Range | Description | Inheritance |
|---|---|---|---|
| autoscale_uid | 0..1 String |
The unique identifier of the cloud autoscale configuration | direct |
| boot_time | 0..1 TimestampT |
The time the system was booted | direct |
| boot_uid | 0..1 String |
A unique identifier of the device that changes after every reboot | direct |
| created_time | 0..1 TimestampT |
The time when the device was known to have been created | direct |
| desc | 0..1 String |
The description of the device, ordinarily as reported by the operating system | direct |
| domain | 0..1 String |
The network domain where the device resides | direct |
| eid | 0..1 String |
An Embedded Identity Document, is a unique serial number that identifies an | direct |
| first_seen_time | 0..1 TimestampT |
The initial discovery time of the device | direct |
| groups | * Group |
The group names to which the device belongs | direct |
| hostname | 0..1 recommended HostnameT |
The device hostname | direct |
| hypervisor | 0..1 String |
The name of the hypervisor running on the device | direct |
| iccid | 0..1 String |
The Integrated Circuit Card Identification of a mobile device | direct |
| image | 0..1 Image |
The image used as a template to run the virtual machine | direct |
| imei | 0..1 String |
The International Mobile Equipment Identity that is associated with the devic... | direct |
| imei_list | * String |
The International Mobile Equipment Identity values that are associated with t... | direct |
| ip | 0..1 recommended IpT |
The device IP address, in either IPv4 or IPv6 format | direct |
| is_backed_up | 0..1 Boolean |
Indicates whether the device or resource has a backup enabled, such as an | direct |
| is_compliant | 0..1 Boolean |
The event occurred on a compliant device | direct |
| is_managed | 0..1 Boolean |
The event occurred on a managed device | direct |
| is_mobile_account_active | 0..1 Boolean |
Indicates whether the device has an active mobile account | direct |
| is_personal | 0..1 Boolean |
The event occurred on a personal device | direct |
| is_shared | 0..1 Boolean |
The event occurred on a shared device | direct |
| is_supervised | 0..1 Boolean |
The event occurred on a supervised device | direct |
| is_trusted | 0..1 Boolean |
The event occurred on a trusted device | direct |
| last_seen_time | 0..1 TimestampT |
The most recent discovery time of the device | direct |
| location | 0..1 Location |
The geographical location of the device | direct |
| meid | 0..1 String |
The Mobile Equipment Identifier | direct |
| model | 0..1 String |
The model of the device | direct |
| modified_time | 0..1 TimestampT |
The time when the device was last known to have been modified | direct |
| name | 0..1 recommended String |
The alternate device name, ordinarily as assigned by an administrator | direct |
| network_interfaces | * NetworkInterface |
The physical or virtual network interfaces that are associated with the devic... | direct |
| org | 0..1 Organization |
Organization and org unit related to the device | direct |
| os_machine_uuid | 0..1 UuidT |
The operating system assigned Machine ID | direct |
| region | 0..1 recommended String |
The region where the virtual machine is located | direct |
| risk_level | 0..1 String |
The risk level, normalized to the caption of the risk_level_id value | direct |
| risk_level_id | 0..1 RiskLevelIdEnum |
The normalized risk level id | direct |
| risk_score | 0..1 Integer |
The risk score as reported by the event source | direct |
| subnet | 0..1 SubnetT |
The subnet mask | direct |
| type | 0..1 recommended String |
The device type | direct |
| type_id | 1 recommended EndpointTypeIdEnum |
The device type ID | direct |
| udid | 0..1 String |
The Apple assigned Unique Device Identifier (UDID) | direct |
| uid | 0..1 recommended String |
The unique identifier of the device | direct |
| uid_alt | 0..1 String |
An alternate unique identifier of the device if any | direct |
| vendor_name | 0..1 recommended String |
The vendor for the device | direct |
| agent_list | * Agent |
A list of agent objects associated with a device, endpoint, or |
Endpoint |
| hw_info | 0..1 DeviceHwInfo |
The endpoint hardware information | Endpoint |
| instance_uid | 0..1 recommended String |
The unique identifier of a VM instance | Endpoint |
| interface_name | 0..1 recommended String |
The name of the network interface (e | Endpoint |
| interface_uid | 0..1 recommended String |
The unique identifier of the network interface | Endpoint |
| mac | 0..1 MacT |
The Media Access Control (MAC) address of the endpoint | Endpoint |
| mac_vendor | 0..1 String |
The vendor or manufacturer of the endpoint's network interface controller | Endpoint |
| os | 0..1 Os |
The endpoint operating system | Endpoint |
| owner | 0..1 recommended User |
The identity of the service or user account that owns the endpoint or was las... | Endpoint |
| pool | 0..1 Group |
The pool of desktops or virtual machines to which the endpoint belongs | Endpoint |
| subnet_uid | 0..1 String |
The unique identifier of a virtual subnet | Endpoint |
| vlan_uid | 0..1 String |
The Virtual LAN identifier | Endpoint |
| vpc_uid | 0..1 String |
The unique identifier of the Virtual Private Cloud (VPC) | Endpoint |
| zone | 0..1 String |
The network zone or LAN segment | Endpoint |
| container | 0..1 recommended Container |
The information describing an instance of a container | ContainerProfile |
| namespace_pid | 0..1 recommended Integer |
If running under a process namespace (such as in a container), the process | ContainerProfile |
Usages
In Subsets
Aliases
- Device
See Also
Notes
- D3FEND™ Ontology d3f:Host. — https://d3fend.mitre.org/dao/artifact/d3f:Host/
Identifier and Mapping Information
Schema Source
- from schema: https://w3id.org/lmodel/ocsf
Mappings
| Mapping Type | Mapped Value |
|---|---|
| self | ocsf:Device |
| native | ocsf:Device |
| exact | uco_master:Device |
LinkML Source
Direct
name: Device
description: 'The Device object represents an addressable computer system or host,
which is
typically connected to a computer network and participates in the transmission
or processing of data within the computer network.'
notes:
- D3FEND™ Ontology d3f:Host. — https://d3fend.mitre.org/dao/artifact/d3f:Host/
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://d3fend.mitre.org/dao/artifact/d3f:Host/
aliases:
- Device
exact_mappings:
- uco_master:Device
is_a: Endpoint
slots:
- autoscale_uid
- boot_time
- boot_uid
- created_time
- desc
- domain
- eid
- first_seen_time
- groups
- hostname
- hypervisor
- iccid
- image
- imei
- imei_list
- ip
- is_backed_up
- is_compliant
- is_managed
- is_mobile_account_active
- is_personal
- is_shared
- is_supervised
- is_trusted
- last_seen_time
- location
- meid
- model
- modified_time
- name
- network_interfaces
- org
- os_machine_uuid
- region
- risk_level
- risk_level_id
- risk_score
- subnet
- type
- type_id
- udid
- uid
- uid_alt
- vendor_name
slot_usage:
boot_time:
name: boot_time
description: The time the system was booted.
created_time:
name: created_time
description: The time when the device was known to have been created.
desc:
name: desc
description: The description of the device, ordinarily as reported by the operating
system.
domain:
name: domain
description: 'The network domain where the device resides. For example:
<code>work.example.com</code>.'
first_seen_time:
name: first_seen_time
description: The initial discovery time of the device.
groups:
name: groups
description: 'The group names to which the device belongs. For example: <code>["Windows
Laptops", "Engineering"]</code>.'
hostname:
name: hostname
description: The device hostname.
recommended: true
image:
name: image
description: The image used as a template to run the virtual machine.
ip:
name: ip
description: The device IP address, in either IPv4 or IPv6 format.
last_seen_time:
name: last_seen_time
description: The most recent discovery time of the device.
location:
name: location
description: The geographical location of the device.
model:
name: model
description: The model of the device. For example <code>ThinkPad X1 Carbon</code>.
modified_time:
name: modified_time
description: The time when the device was last known to have been modified.
name:
name: name
description: 'The alternate device name, ordinarily as assigned by an administrator.
<p><b>Note:</b> The <b>Name</b> could be any other string that helps to
identify the device, such as a phone number; for example
<code>310-555-1234</code>.</p>'
org:
name: org
description: Organization and org unit related to the device.
region:
name: region
description: The region where the virtual machine is located. For example, an
AWS Region.
recommended: true
type:
name: type
description: 'The device type. For example: <code>unknown</code>, <code>server</code>,
<code>desktop</code>, <code>laptop</code>, <code>tablet</code>,
<code>mobile</code>, <code>virtual</code>, <code>browser</code>, or
<code>other</code>.'
recommended: true
type_id:
name: type_id
description: The device type ID.
required: true
uid:
name: uid
description: 'The unique identifier of the device. For example the Windows TargetSID
or AWS
EC2 ARN.'
recommended: true
uid_alt:
name: uid_alt
description: 'An alternate unique identifier of the device if any. For example
the
ActiveDirectory DN.'
vendor_name:
name: vendor_name
description: 'The vendor for the device. For example <code>Dell</code> or
<code>Lenovo</code>.'
recommended: true
Induced
name: Device
description: 'The Device object represents an addressable computer system or host,
which is
typically connected to a computer network and participates in the transmission
or processing of data within the computer network.'
notes:
- D3FEND™ Ontology d3f:Host. — https://d3fend.mitre.org/dao/artifact/d3f:Host/
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://d3fend.mitre.org/dao/artifact/d3f:Host/
aliases:
- Device
exact_mappings:
- uco_master:Device
is_a: Endpoint
slot_usage:
boot_time:
name: boot_time
description: The time the system was booted.
created_time:
name: created_time
description: The time when the device was known to have been created.
desc:
name: desc
description: The description of the device, ordinarily as reported by the operating
system.
domain:
name: domain
description: 'The network domain where the device resides. For example:
<code>work.example.com</code>.'
first_seen_time:
name: first_seen_time
description: The initial discovery time of the device.
groups:
name: groups
description: 'The group names to which the device belongs. For example: <code>["Windows
Laptops", "Engineering"]</code>.'
hostname:
name: hostname
description: The device hostname.
recommended: true
image:
name: image
description: The image used as a template to run the virtual machine.
ip:
name: ip
description: The device IP address, in either IPv4 or IPv6 format.
last_seen_time:
name: last_seen_time
description: The most recent discovery time of the device.
location:
name: location
description: The geographical location of the device.
model:
name: model
description: The model of the device. For example <code>ThinkPad X1 Carbon</code>.
modified_time:
name: modified_time
description: The time when the device was last known to have been modified.
name:
name: name
description: 'The alternate device name, ordinarily as assigned by an administrator.
<p><b>Note:</b> The <b>Name</b> could be any other string that helps to
identify the device, such as a phone number; for example
<code>310-555-1234</code>.</p>'
org:
name: org
description: Organization and org unit related to the device.
region:
name: region
description: The region where the virtual machine is located. For example, an
AWS Region.
recommended: true
type:
name: type
description: 'The device type. For example: <code>unknown</code>, <code>server</code>,
<code>desktop</code>, <code>laptop</code>, <code>tablet</code>,
<code>mobile</code>, <code>virtual</code>, <code>browser</code>, or
<code>other</code>.'
recommended: true
type_id:
name: type_id
description: The device type ID.
required: true
uid:
name: uid
description: 'The unique identifier of the device. For example the Windows TargetSID
or AWS
EC2 ARN.'
recommended: true
uid_alt:
name: uid_alt
description: 'An alternate unique identifier of the device if any. For example
the
ActiveDirectory DN.'
vendor_name:
name: vendor_name
description: 'The vendor for the device. For example <code>Dell</code> or
<code>Lenovo</code>.'
recommended: true
attributes:
autoscale_uid:
name: autoscale_uid
description: The unique identifier of the cloud autoscale configuration.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Autoscale UID
rank: 1000
alias: autoscale_uid
owner: Device
domain_of:
- Device
range: string
boot_time:
name: boot_time
description: The time the system was booted.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Boot Time
rank: 1000
alias: boot_time
owner: Device
domain_of:
- Device
range: TimestampT
boot_uid:
name: boot_uid
description: 'A unique identifier of the device that changes after every reboot.
For example,
the value of <code>/proc/sys/kernel/random/boot_id</code> from Linux''s procfs.'
notes:
- 'Linux kernel''s documentation —
https://docs.kernel.org/admin-guide/sysctl/kernel.html#random'
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://docs.kernel.org/admin-guide/sysctl/kernel.html#random
aliases:
- Boot UID
rank: 1000
alias: boot_uid
owner: Device
domain_of:
- Device
range: string
created_time:
name: created_time
description: The time when the device was known to have been created.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Created Time
rank: 1000
alias: created_time
owner: Device
domain_of:
- Osint
- RelatedEvent
- Sbom
- Scim
- Session
- Sso
- Token
- Whois
- Resource
- Advisory
- AuthenticationToken
- Certificate
- Cve
- Database
- Databucket
- DigitalSignature
- Enrichment
- Epss
- File
- FindingObject
- FindingInfo
- Job
- KbArticle
- LdapPerson
- ProcessEntity
- Table
- Device
range: TimestampT
desc:
name: desc
description: The description of the device, ordinarily as reported by the operating
system.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Description
rank: 1000
alias: desc
owner: Device
domain_of:
- Osint
- RelatedEvent
- Remediation
- Vulnerability
- Advisory
- Analytic
- ApplicationObject
- Assessment
- Check
- CisBenchmark
- CisBenchmarkResult
- CisControl
- Compliance
- Cve
- Database
- Databucket
- Enrichment
- File
- FindingObject
- FindingInfo
- Graph
- Group
- Job
- Location
- Node
- Policy
- Rule
- Table
- WebResource
- Device
- IncidentFinding
range: string
domain:
name: domain
description: 'The network domain where the device resides. For example:
<code>work.example.com</code>.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Domain
rank: 1000
alias: domain
owner: Device
domain_of:
- Url
- Whois
- Endpoint
- Group
- HttpCookie
- Idp
- User
- Device
range: string
eid:
name: eid
description: 'An Embedded Identity Document, is a unique serial number that identifies
an
eSIM-enabled device.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- EID
rank: 1000
alias: eid
owner: Device
domain_of:
- Device
range: string
first_seen_time:
name: first_seen_time
description: The initial discovery time of the device.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- First Seen
rank: 1000
alias: first_seen_time
owner: Device
domain_of:
- RelatedEvent
- Vulnerability
- FindingObject
- FindingInfo
- IdentityActivityMetrics
- Device
range: TimestampT
groups:
name: groups
description: 'The group names to which the device belongs. For example: <code>["Windows
Laptops", "Engineering"]</code>.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Groups
rank: 1000
alias: groups
owner: Device
domain_of:
- Database
- Databucket
- Table
- User
- Device
range: Group
multivalued: true
hostname:
name: hostname
description: The device hostname.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Hostname
rank: 1000
alias: hostname
owner: Device
domain_of:
- Url
- ApplicationObject
- Databucket
- DnsQuery
- Endpoint
- NetworkInterface
- Reporter
- ResourceDetails
- Device
range: HostnameT
recommended: true
hypervisor:
name: hypervisor
description: 'The name of the hypervisor running on the device. For example,
<code>Xen</code>, <code>VMware</code>, <code>Hyper-V</code>,
<code>VirtualBox</code>, etc.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Hypervisor
rank: 1000
alias: hypervisor
owner: Device
domain_of:
- Device
range: string
iccid:
name: iccid
description: 'The Integrated Circuit Card Identification of a mobile device. Typically
it is
a unique 18 to 22 digit number that identifies a SIM card.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- ICCID
rank: 1000
alias: iccid
owner: Device
domain_of:
- Device
range: string
image:
name: image
description: The image used as a template to run the virtual machine.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Image
rank: 1000
alias: image
owner: Device
domain_of:
- Container
- Device
range: Image
imei:
name: imei
description: The International Mobile Equipment Identity that is associated with
the device.
deprecated: Use the <code>imei_list</code> attribute instead. (since 1.4.0)
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- IMEI
rank: 1000
alias: imei
owner: Device
domain_of:
- Device
range: string
imei_list:
name: imei_list
description: 'The International Mobile Equipment Identity values that are associated
with the
device.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- IMEI List
rank: 1000
alias: imei_list
owner: Device
domain_of:
- Device
range: string
multivalued: true
ip:
name: ip
description: The device IP address, in either IPv4 or IPv6 format.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- IP Address
rank: 1000
alias: ip
owner: Device
domain_of:
- Databucket
- Endpoint
- LoadBalancer
- NetworkInterface
- Reporter
- ResourceDetails
- Device
range: IpT
recommended: true
is_backed_up:
name: is_backed_up
description: 'Indicates whether the device or resource has a backup enabled, such
as an
automated snapshot or a cloud backup. For example, this is indicated by the
<code>cloudBackupEnabled</code> value within JAMF Pro mobile devices or the
registration of an AWS ARN with the AWS Backup service.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Back Ups Configured
rank: 1000
alias: is_backed_up
owner: Device
domain_of:
- Databucket
- ResourceDetails
- Device
range: boolean
is_compliant:
name: is_compliant
description: The event occurred on a compliant device.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Compliant Device
rank: 1000
alias: is_compliant
owner: Device
domain_of:
- Device
range: boolean
is_managed:
name: is_managed
description: The event occurred on a managed device.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Managed Device
rank: 1000
alias: is_managed
owner: Device
domain_of:
- Device
range: boolean
is_mobile_account_active:
name: is_mobile_account_active
description: 'Indicates whether the device has an active mobile account. For example,
this is
indicated by the <code>itunesStoreAccountActive</code> value within JAMF Pro
mobile devices.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Mobile Account Active
rank: 1000
alias: is_mobile_account_active
owner: Device
domain_of:
- Device
range: boolean
is_personal:
name: is_personal
description: The event occurred on a personal device.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Personal Device
rank: 1000
alias: is_personal
owner: Device
domain_of:
- Device
range: boolean
is_shared:
name: is_shared
description: The event occurred on a shared device.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Shared Device
rank: 1000
alias: is_shared
owner: Device
domain_of:
- Device
range: boolean
is_supervised:
name: is_supervised
description: 'The event occurred on a supervised device. Devices that are supervised
are
typically mobile devices managed by a Mobile Device Management solution and
are
restricted from specific behaviors such as Apple AirDrop.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Supervised Device
rank: 1000
alias: is_supervised
owner: Device
domain_of:
- Device
range: boolean
is_trusted:
name: is_trusted
description: The event occurred on a trusted device.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Trusted Device
rank: 1000
alias: is_trusted
owner: Device
domain_of:
- Device
range: boolean
last_seen_time:
name: last_seen_time
description: The most recent discovery time of the device.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Last Seen
rank: 1000
alias: last_seen_time
owner: Device
domain_of:
- RelatedEvent
- Vulnerability
- Whois
- FindingObject
- FindingInfo
- IdentityActivityMetrics
- Device
range: TimestampT
location:
name: location
description: The geographical location of the device.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Geo Location
rank: 1000
alias: location
owner: Device
domain_of:
- Osint
- Aircraft
- DomainContact
- Endpoint
- LdapPerson
- ManagedEntity
- UnmannedAerialSystem
- Device
range: Location
meid:
name: meid
description: 'The Mobile Equipment Identifier. It''s a unique number that identifies
a Code
Division Multiple Access (CDMA) mobile device.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- MEID
rank: 1000
alias: meid
owner: Device
domain_of:
- Device
range: string
model:
name: model
description: The model of the device. For example <code>ThinkPad X1 Carbon</code>.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Model
rank: 1000
alias: model
owner: Device
domain_of:
- Aircraft
- GpuInfo
- PeripheralDevice
- Device
range: string
modified_time:
name: modified_time
description: The time when the device was last known to have been modified.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Modified Time
rank: 1000
alias: modified_time
owner: Device
domain_of:
- Osint
- RelatedEvent
- Scim
- Sso
- Token
- Resource
- Advisory
- Cve
- Database
- Databucket
- File
- FindingObject
- FindingInfo
- LdapPerson
- Metadata
- Table
- Device
- RegKey
- RegValue
range: TimestampT
name:
name: name
description: 'The alternate device name, ordinarily as assigned by an administrator.
<p><b>Note:</b> The <b>Name</b> could be any other string that helps to
identify the device, such as a phone number; for example
<code>310-555-1234</code>.</p>'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Name
rank: 1000
alias: name
owner: Device
domain_of:
- AnalysisTarget
- Observable
- Os
- Osint
- Package
- Parameter
- PrivilegeInfo
- San
- Scim
- Script
- ServicePrivilegeAnalysis
- SoftwareComponent
- Sso
- StartupItem
- ThreatActor
- Token
- Entity
- Resource
- Account
- Agent
- AiModel
- Aircraft
- Analytic
- ApplicationObject
- Assessment
- AutonomousSystem
- Campaign
- Check
- CisBenchmark
- CisBenchmarkResult
- CisControl
- ClassifierDetails
- Container
- D3fTactic
- D3fTechnique
- Database
- Databucket
- DomainContact
- Edge
- Endpoint
- Enrichment
- EnvironmentVariable
- Evidences
- Extension
- Feature
- File
- Graph
- Group
- HttpCookie
- HttpHeader
- Idp
- Image
- Job
- Kernel
- KeyValueObject
- LoadBalancer
- Logger
- Malware
- ManagedEntity
- MessageContext
- Metric
- Mitigation
- NetworkInterface
- Node
- Organization
- PeripheralDevice
- Policy
- ProcessEntity
- Product
- QueryInfo
- Reporter
- ResourceDetails
- Rule
- Scan
- Service
- SubTechnique
- Table
- Tactic
- Technique
- Trait
- TransformationInfo
- UnmannedAerialSystem
- User
- WebResource
- Device
- FtpActivity
- RegValue
- WinResource
- WinService
- PrefetchQuery
range: string
recommended: true
network_interfaces:
name: network_interfaces
description: 'The physical or virtual network interfaces that are associated with
the device,
one for each unique MAC address/IP address/hostname/name
combination.<p><b>Note:</b> The first element of the array is the network
information that pertains to the event.</p>'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Network Interfaces
rank: 1000
alias: network_interfaces
owner: Device
domain_of:
- QueryEvidence
- Device
- NetworksQuery
range: NetworkInterface
multivalued: true
org:
name: org
description: Organization and org unit related to the device.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Organization
rank: 1000
alias: org
owner: Device
domain_of:
- Cloud
- ManagedEntity
- Reporter
- User
- Device
range: Organization
os_machine_uuid:
name: os_machine_uuid
description: 'The operating system assigned Machine ID. In Windows, this is the
value stored
at the registry path:
<code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid</code>.
In
Linux, this is stored in the file: <code>/etc/machine-id</code>.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- OS Machine UUID
rank: 1000
alias: os_machine_uuid
owner: Device
domain_of:
- Device
range: UuidT
region:
name: region
description: The region where the virtual machine is located. For example, an
AWS Region.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Region
rank: 1000
alias: region
owner: Device
domain_of:
- ApplicationObject
- Cloud
- Databucket
- Location
- ResourceDetails
- Device
- CloudResourcesInventoryInfo
range: string
recommended: true
risk_level:
name: risk_level
description: The risk level, normalized to the caption of the risk_level_id value.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Risk Level
rank: 1000
alias: risk_level
owner: Device
domain_of:
- ApplicationObject
- User
- Device
- SecurityControlProfile
- DataSecurityFinding
- DetectionFinding
- SecurityFinding
range: string
risk_level_id:
name: risk_level_id
annotations:
sibling:
tag: sibling
value: risk_level
suppress_checks:
tag: suppress_checks
value: enum_convention
description: The normalized risk level id.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Risk Level ID
rank: 1000
alias: risk_level_id
owner: Device
domain_of:
- ApplicationObject
- User
- Device
- SecurityControlProfile
- DataSecurityFinding
- DetectionFinding
- SecurityFinding
range: RiskLevelIdEnum
risk_score:
name: risk_score
description: The risk score as reported by the event source.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Risk Score
rank: 1000
alias: risk_score
owner: Device
domain_of:
- Osint
- ApplicationObject
- User
- Device
- SecurityControlProfile
- DataSecurityFinding
- DetectionFinding
- SecurityFinding
range: integer
subnet:
name: subnet
description: The subnet mask.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Subnet
rank: 1000
alias: subnet
owner: Device
domain_of:
- Osint
- Whois
- Device
range: SubnetT
type:
name: type
description: 'The device type. For example: <code>unknown</code>, <code>server</code>,
<code>desktop</code>, <code>laptop</code>, <code>tablet</code>,
<code>mobile</code>, <code>virtual</code>, <code>browser</code>, or
<code>other</code>.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Type
rank: 1000
alias: type
owner: Device
domain_of:
- AnalysisTarget
- Observable
- Os
- Osint
- Package
- PrivilegeInfo
- ProgrammaticCredential
- RelatedEvent
- San
- Sbom
- Script
- SoftwareComponent
- StartupItem
- ThreatActor
- Ticket
- Timespan
- TlsExtension
- Token
- Dns
- Resource
- Account
- Agent
- Analytic
- ApplicationObject
- AuthenticationToken
- ClassifierDetails
- Cve
- Database
- Databucket
- DiscoveryDetails
- DnsAnswer
- DomainContact
- EncryptionDetails
- Endpoint
- Enrichment
- File
- Graph
- Group
- Ja4Fingerprint
- Kernel
- ManagedEntity
- Metadata
- Module
- NetworkEndpoint
- NetworkInterface
- Node
- PeripheralDevice
- Policy
- Rule
- Scan
- Trait
- UnmannedAerialSystem
- UnmannedSystemOperatingArea
- User
- WebResource
- Device
- DatastoreActivity
- FtpActivity
- RegValue
- WinResource
range: string
recommended: true
type_id:
name: type_id
annotations:
sibling:
tag: sibling
value: type
description: The device type ID.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Type ID
rank: 1000
alias: type_id
owner: Device
domain_of:
- Observable
- Os
- Osint
- Package
- PrivilegeInfo
- Sbom
- Script
- SoftwareComponent
- StartupItem
- ThreatActor
- Ticket
- Timespan
- TlsExtension
- Token
- Account
- Agent
- Analytic
- AuthenticationToken
- Database
- Databucket
- DomainContact
- Endpoint
- File
- Ja4Fingerprint
- Kernel
- ManagedEntity
- NetworkEndpoint
- NetworkInterface
- PeripheralDevice
- Scan
- UnmannedAerialSystem
- UnmannedSystemOperatingArea
- User
- Device
- DatastoreActivity
- RegValue
- WinResource
range: EndpointTypeIdEnum
required: true
recommended: true
udid:
name: udid
description: 'The Apple assigned Unique Device Identifier (UDID). For iOS, iPadOS,
tvOS,
watchOS and visionOS devices, this is the UDID. For macOS devices, it is the
Provisioning UDID. For example: <code>00008020-008D4548007B4F26</code>'
notes:
- Apple Wiki — https://theapplewiki.com/wiki/UDID
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://theapplewiki.com/wiki/UDID
aliases:
- Unique Device Identifier
rank: 1000
alias: udid
owner: Device
domain_of:
- Device
range: string
uid:
name: uid
description: 'The unique identifier of the device. For example the Windows TargetSID
or AWS
EC2 ARN.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Unique ID
rank: 1000
alias: uid
owner: Device
domain_of:
- Osint
- Package
- ProgrammaticCredential
- RelatedEvent
- Request
- Sbom
- Scim
- Script
- Session
- Span
- Sso
- Ticket
- Token
- Trace
- Entity
- Resource
- Account
- Advisory
- Agent
- AiModel
- Aircraft
- Analytic
- ApplicationObject
- Assessment
- Certificate
- Check
- ClassifierDetails
- Container
- Cve
- Cwe
- D3fTactic
- D3fTechnique
- DataClassification
- Database
- Databucket
- DomainContact
- Edge
- Email
- Endpoint
- Evidences
- Extension
- Feature
- File
- FindingObject
- FindingInfo
- Graph
- Group
- HttpRequest
- Idp
- Image
- KbArticle
- LoadBalancer
- Logger
- Malware
- ManagedEntity
- MessageContext
- Metadata
- Mitigation
- NetworkConnectionInfo
- NetworkEndpoint
- NetworkInterface
- Node
- Organization
- PeripheralDevice
- Policy
- ProcessEntity
- Product
- QueryInfo
- Reporter
- Rule
- Scan
- Service
- SubTechnique
- Table
- Tactic
- Technique
- Trait
- TransformationInfo
- UnmannedAerialSystem
- User
- WebResource
- Device
- WinResource
range: string
recommended: true
uid_alt:
name: uid_alt
description: 'An alternate unique identifier of the device if any. For example
the
ActiveDirectory DN.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Alternate ID
rank: 1000
alias: uid_alt
owner: Device
domain_of:
- Scim
- Session
- Resource
- Agent
- Aircraft
- ApplicationObject
- FindingInfo
- Group
- UnmannedAerialSystem
- User
- Device
range: string
vendor_name:
name: vendor_name
description: 'The vendor for the device. For example <code>Dell</code> or
<code>Lenovo</code>.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Vendor Name
rank: 1000
alias: vendor_name
owner: Device
domain_of:
- Osint
- Package
- Scim
- Sso
- Vulnerability
- Agent
- Cvss
- DeviceHwInfo
- GpuInfo
- PeripheralDevice
- Product
- Device
range: string
recommended: true
agent_list:
name: agent_list
description: 'A list of <code>agent</code> objects associated with a device, endpoint,
or
resource.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Agent List
rank: 1000
alias: agent_list
owner: Device
domain_of:
- Databucket
- Endpoint
- ResourceDetails
range: Agent
multivalued: true
hw_info:
name: hw_info
description: The endpoint hardware information.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Hardware Info
rank: 1000
alias: hw_info
owner: Device
domain_of:
- Endpoint
- UnmannedAerialSystem
range: DeviceHwInfo
instance_uid:
name: instance_uid
description: The unique identifier of a VM instance.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Instance ID
rank: 1000
alias: instance_uid
owner: Device
domain_of:
- Endpoint
range: string
recommended: true
interface_name:
name: interface_name
description: The name of the network interface (e.g. eth2).
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Network Interface Name
rank: 1000
alias: interface_name
owner: Device
domain_of:
- Endpoint
range: string
recommended: true
interface_uid:
name: interface_uid
description: The unique identifier of the network interface.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Network Interface ID
rank: 1000
alias: interface_uid
owner: Device
domain_of:
- Endpoint
range: string
recommended: true
mac:
name: mac
description: The Media Access Control (MAC) address of the endpoint.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- MAC Address
rank: 1000
alias: mac
owner: Device
domain_of:
- Endpoint
- NetworkInterface
range: MacT
mac_vendor:
name: mac_vendor
description: 'The vendor or manufacturer of the endpoint''s network interface
controller
(NIC), as identified from the MAC address.'
notes:
- 'IEEE Registration Authority —
https://standards.ieee.org/products-programs/regauth/'
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://standards.ieee.org/products-programs/regauth/
aliases:
- MAC Vendor
rank: 1000
alias: mac_vendor
owner: Device
domain_of:
- Endpoint
range: string
os:
name: os
description: The endpoint operating system.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- OS
rank: 1000
alias: os
owner: Device
domain_of:
- Advisory
- Endpoint
- KbArticle
range: Os
owner:
name: owner
description: 'The identity of the service or user account that owns the endpoint
or was last
logged into it.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Owner
rank: 1000
alias: owner
owner: Device
domain_of:
- AffectedCode
- ApplicationObject
- Databucket
- Endpoint
- File
- ResourceDetails
range: User
recommended: true
pool:
name: pool
description: The pool of desktops or virtual machines to which the endpoint belongs.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Pool
rank: 1000
alias: pool
owner: Device
domain_of:
- Endpoint
range: Group
subnet_uid:
name: subnet_uid
description: The unique identifier of a virtual subnet.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Subnet UID
rank: 1000
alias: subnet_uid
owner: Device
domain_of:
- Endpoint
range: string
vlan_uid:
name: vlan_uid
description: The Virtual LAN identifier.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- VLAN
rank: 1000
alias: vlan_uid
owner: Device
domain_of:
- Endpoint
range: string
vpc_uid:
name: vpc_uid
description: The unique identifier of the Virtual Private Cloud (VPC).
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- VPC UID
rank: 1000
alias: vpc_uid
owner: Device
domain_of:
- Endpoint
range: string
zone:
name: zone
description: The network zone or LAN segment.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Network Zone
rank: 1000
alias: zone
owner: Device
domain_of:
- Token
- Cloud
- Databucket
- Endpoint
- ResourceDetails
range: string
container:
name: container
annotations:
group:
tag: group
value: context
description: 'The information describing an instance of a container. A container
is a
prepackaged, portable system image that runs isolated on an existing system
using a container runtime like containerd.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Container
rank: 1000
alias: container
owner: Device
domain_of:
- Evidences
- ContainerProfile
- CloudResourcesInventoryInfo
range: Container
recommended: true
namespace_pid:
name: namespace_pid
annotations:
group:
tag: group
value: context
description: 'If running under a process namespace (such as in a container), the
process
identifier within that process namespace.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Namespace PID
rank: 1000
alias: namespace_pid
owner: Device
domain_of:
- ContainerProfile
range: integer
recommended: true