Class: Endpoint
The Endpoint object describes a physical or virtual device that connects to and
exchanges information with a computer network. Some examples of endpoints are
mobile devices, desktop computers, virtual machines, embedded devices, and
servers. Internet-of-Things devices—like cameras, lighting, refrigerators,
security systems, smart speakers, and thermostats—are also endpoints.
URI: ocsf:Endpoint
classDiagram
class Endpoint
click Endpoint href "../Endpoint/"
ContainerProfile <|-- Endpoint
click ContainerProfile href "../ContainerProfile/"
Entity <|-- Endpoint
click Entity href "../Entity/"
Endpoint <|-- NetworkEndpoint
click NetworkEndpoint href "../NetworkEndpoint/"
Endpoint <|-- Device
click Device href "../Device/"
Endpoint : agent_list
Endpoint --> "*" Agent : agent_list
click Agent href "../Agent/"
Endpoint : container
Endpoint --> "0..1 _recommended_" Container : container
click Container href "../Container/"
Endpoint : domain
Endpoint : hostname
Endpoint : hw_info
Endpoint --> "0..1" DeviceHwInfo : hw_info
click DeviceHwInfo href "../DeviceHwInfo/"
Endpoint : instance_uid
Endpoint : interface_name
Endpoint : interface_uid
Endpoint : ip
Endpoint : location
Endpoint --> "0..1" Location : location
click Location href "../Location/"
Endpoint : mac
Endpoint : mac_vendor
Endpoint : name
Endpoint : namespace_pid
Endpoint : os
Endpoint --> "0..1" Os : os
click Os href "../Os/"
Endpoint : owner
Endpoint --> "0..1 _recommended_" User : owner
click User href "../User/"
Endpoint : pool
Endpoint --> "0..1" Group : pool
click Group href "../Group/"
Endpoint : subnet_uid
Endpoint : type
Endpoint : type_id
Endpoint --> "0..1 _recommended_" EndpointTypeIdEnum : type_id
click EndpointTypeIdEnum href "../EndpointTypeIdEnum/"
Endpoint : uid
Endpoint : vlan_uid
Endpoint : vpc_uid
Endpoint : zone
Inheritance
- OcsfObject
- Object
- Entity
- Endpoint [ ContainerProfile]
- Entity
- Object
Slots
| Name | Cardinality and Range | Description | Inheritance |
|---|---|---|---|
| agent_list | * Agent |
A list of agent objects associated with a device, endpoint, or |
direct |
| domain | 0..1 String |
The name of the domain that the endpoint belongs to or that corresponds to th... | direct |
| hostname | 0..1 recommended HostnameT |
The fully qualified name of the endpoint | direct |
| hw_info | 0..1 DeviceHwInfo |
The endpoint hardware information | direct |
| instance_uid | 0..1 recommended String |
The unique identifier of a VM instance | direct |
| interface_name | 0..1 recommended String |
The name of the network interface (e | direct |
| interface_uid | 0..1 recommended String |
The unique identifier of the network interface | direct |
| ip | 0..1 recommended IpT |
The IP address of the endpoint, in either IPv4 or IPv6 format | direct |
| location | 0..1 Location |
The geographical location of the endpoint | direct |
| mac | 0..1 MacT |
The Media Access Control (MAC) address of the endpoint | direct |
| mac_vendor | 0..1 String |
The vendor or manufacturer of the endpoint's network interface controller | direct |
| name | 0..1 recommended String |
The short name of the endpoint | direct |
| os | 0..1 Os |
The endpoint operating system | direct |
| owner | 0..1 recommended User |
The identity of the service or user account that owns the endpoint or was las... | direct |
| pool | 0..1 Group |
The pool of desktops or virtual machines to which the endpoint belongs | direct |
| subnet_uid | 0..1 String |
The unique identifier of a virtual subnet | direct |
| type | 0..1 String |
The endpoint type | direct |
| type_id | 0..1 recommended EndpointTypeIdEnum |
The endpoint type ID | direct |
| uid | 0..1 recommended String |
The unique identifier of the endpoint | direct |
| vlan_uid | 0..1 String |
The Virtual LAN identifier | direct |
| vpc_uid | 0..1 String |
The unique identifier of the Virtual Private Cloud (VPC) | direct |
| zone | 0..1 String |
The network zone or LAN segment | direct |
| container | 0..1 recommended Container |
The information describing an instance of a container | ContainerProfile |
| namespace_pid | 0..1 recommended Integer |
If running under a process namespace (such as in a container), the process | ContainerProfile |
Rules
| Rule Applied | Preconditions | Postconditions | Elseconditions |
|---|---|---|---|
| any_of | [{'slot_conditions': {'ip': {'required': True}}}, {'slot_conditions': {'uid': {'required': True}}}, {'slot_conditions': {}}, {'slot_conditions': {'hostname': {'required': True}}}, {'slot_conditions': {'instance_uid': {'required': True}}}, {'slot_conditions': {'interface_uid': {'required': True}}}, {'slot_conditions': {'interface_name': {'required': True}}}] |
In Subsets
Aliases
- Endpoint
See Also
Notes
- D3FEND™ Ontology d3f:Host. — https://d3fend.mitre.org/dao/artifact/d3f:ComputerNetworkNode/
Identifier and Mapping Information
Annotations
| property | value |
|---|---|
| ocsf_constraints | {"at_least_one": ["ip", "uid", "name", "hostname", "instance_uid", |
| "interface_uid", "interface_name"]} | |
| observable_id | 20 |
Schema Source
- from schema: https://w3id.org/lmodel/ocsf
Mappings
| Mapping Type | Mapped Value |
|---|---|
| self | ocsf:Endpoint |
| native | ocsf:Endpoint |
| broad | stix:Host, uco_master:Device |
LinkML Source
Direct
name: Endpoint
annotations:
ocsf_constraints:
tag: ocsf_constraints
value: '{"at_least_one": ["ip", "uid", "name", "hostname", "instance_uid",
"interface_uid", "interface_name"]}'
observable_id:
tag: observable_id
value: 20
description: 'The Endpoint object describes a physical or virtual device that connects
to and
exchanges information with a computer network. Some examples of endpoints are
mobile devices, desktop computers, virtual machines, embedded devices, and
servers. Internet-of-Things devices—like cameras, lighting, refrigerators,
security systems, smart speakers, and thermostats—are also endpoints.'
notes:
- 'D3FEND™ Ontology d3f:Host. —
https://d3fend.mitre.org/dao/artifact/d3f:ComputerNetworkNode/'
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://d3fend.mitre.org/dao/artifact/d3f:ComputerNetworkNode/
aliases:
- Endpoint
broad_mappings:
- stix:Host
- uco_master:Device
is_a: Entity
mixins:
- ContainerProfile
slots:
- agent_list
- domain
- hostname
- hw_info
- instance_uid
- interface_name
- interface_uid
- ip
- location
- mac
- mac_vendor
- name
- os
- owner
- pool
- subnet_uid
- type
- type_id
- uid
- vlan_uid
- vpc_uid
- zone
slot_usage:
domain:
name: domain
description: 'The name of the domain that the endpoint belongs to or that corresponds
to the
endpoint.'
hostname:
name: hostname
description: The fully qualified name of the endpoint.
recommended: true
instance_uid:
name: instance_uid
recommended: true
interface_name:
name: interface_name
recommended: true
interface_uid:
name: interface_uid
recommended: true
ip:
name: ip
description: The IP address of the endpoint, in either IPv4 or IPv6 format.
recommended: true
location:
name: location
description: The geographical location of the endpoint.
mac:
name: mac
description: The Media Access Control (MAC) address of the endpoint.
mac_vendor:
name: mac_vendor
description: 'The vendor or manufacturer of the endpoint''s network interface
controller
(NIC), as identified from the MAC address.'
name:
name: name
description: The short name of the endpoint.
os:
name: os
description: The endpoint operating system.
owner:
name: owner
description: 'The identity of the service or user account that owns the endpoint
or was last
logged into it.'
recommended: true
pool:
name: pool
description: The pool of desktops or virtual machines to which the endpoint belongs.
type:
name: type
description: 'The endpoint type. For example: <code>unknown</code>, <code>server</code>,
<code>desktop</code>, <code>laptop</code>, <code>tablet</code>,
<code>mobile</code>, <code>virtual</code>, <code>browser</code>, or
<code>other</code>.'
type_id:
name: type_id
description: The endpoint type ID.
range: EndpointTypeIdEnum
recommended: true
uid:
name: uid
description: The unique identifier of the endpoint.
zone:
name: zone
description: The network zone or LAN segment.
rules:
- postconditions:
any_of:
- slot_conditions:
ip:
name: ip
required: true
- slot_conditions:
uid:
name: uid
required: true
- slot_conditions:
name:
name: name
required: true
- slot_conditions:
hostname:
name: hostname
required: true
- slot_conditions:
instance_uid:
name: instance_uid
required: true
- slot_conditions:
interface_uid:
name: interface_uid
required: true
- slot_conditions:
interface_name:
name: interface_name
required: true
description: 'OCSF at_least_one: at least one of [''ip'', ''uid'', ''name'', ''hostname'',
''instance_uid'', ''interface_uid'', ''interface_name''] must be set.'
Induced
name: Endpoint
annotations:
ocsf_constraints:
tag: ocsf_constraints
value: '{"at_least_one": ["ip", "uid", "name", "hostname", "instance_uid",
"interface_uid", "interface_name"]}'
observable_id:
tag: observable_id
value: 20
description: 'The Endpoint object describes a physical or virtual device that connects
to and
exchanges information with a computer network. Some examples of endpoints are
mobile devices, desktop computers, virtual machines, embedded devices, and
servers. Internet-of-Things devices—like cameras, lighting, refrigerators,
security systems, smart speakers, and thermostats—are also endpoints.'
notes:
- 'D3FEND™ Ontology d3f:Host. —
https://d3fend.mitre.org/dao/artifact/d3f:ComputerNetworkNode/'
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://d3fend.mitre.org/dao/artifact/d3f:ComputerNetworkNode/
aliases:
- Endpoint
broad_mappings:
- stix:Host
- uco_master:Device
is_a: Entity
mixins:
- ContainerProfile
slot_usage:
domain:
name: domain
description: 'The name of the domain that the endpoint belongs to or that corresponds
to the
endpoint.'
hostname:
name: hostname
description: The fully qualified name of the endpoint.
recommended: true
instance_uid:
name: instance_uid
recommended: true
interface_name:
name: interface_name
recommended: true
interface_uid:
name: interface_uid
recommended: true
ip:
name: ip
description: The IP address of the endpoint, in either IPv4 or IPv6 format.
recommended: true
location:
name: location
description: The geographical location of the endpoint.
mac:
name: mac
description: The Media Access Control (MAC) address of the endpoint.
mac_vendor:
name: mac_vendor
description: 'The vendor or manufacturer of the endpoint''s network interface
controller
(NIC), as identified from the MAC address.'
name:
name: name
description: The short name of the endpoint.
os:
name: os
description: The endpoint operating system.
owner:
name: owner
description: 'The identity of the service or user account that owns the endpoint
or was last
logged into it.'
recommended: true
pool:
name: pool
description: The pool of desktops or virtual machines to which the endpoint belongs.
type:
name: type
description: 'The endpoint type. For example: <code>unknown</code>, <code>server</code>,
<code>desktop</code>, <code>laptop</code>, <code>tablet</code>,
<code>mobile</code>, <code>virtual</code>, <code>browser</code>, or
<code>other</code>.'
type_id:
name: type_id
description: The endpoint type ID.
range: EndpointTypeIdEnum
recommended: true
uid:
name: uid
description: The unique identifier of the endpoint.
zone:
name: zone
description: The network zone or LAN segment.
attributes:
agent_list:
name: agent_list
description: 'A list of <code>agent</code> objects associated with a device, endpoint,
or
resource.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Agent List
rank: 1000
alias: agent_list
owner: Endpoint
domain_of:
- Databucket
- Endpoint
- ResourceDetails
range: Agent
multivalued: true
domain:
name: domain
description: 'The name of the domain that the endpoint belongs to or that corresponds
to the
endpoint.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Domain
rank: 1000
alias: domain
owner: Endpoint
domain_of:
- Url
- Whois
- Endpoint
- Group
- HttpCookie
- Idp
- User
- Device
range: string
hostname:
name: hostname
description: The fully qualified name of the endpoint.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Hostname
rank: 1000
alias: hostname
owner: Endpoint
domain_of:
- Url
- ApplicationObject
- Databucket
- DnsQuery
- Endpoint
- NetworkInterface
- Reporter
- ResourceDetails
- Device
range: HostnameT
recommended: true
hw_info:
name: hw_info
description: The endpoint hardware information.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Hardware Info
rank: 1000
alias: hw_info
owner: Endpoint
domain_of:
- Endpoint
- UnmannedAerialSystem
range: DeviceHwInfo
instance_uid:
name: instance_uid
description: The unique identifier of a VM instance.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Instance ID
rank: 1000
alias: instance_uid
owner: Endpoint
domain_of:
- Endpoint
range: string
recommended: true
interface_name:
name: interface_name
description: The name of the network interface (e.g. eth2).
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Network Interface Name
rank: 1000
alias: interface_name
owner: Endpoint
domain_of:
- Endpoint
range: string
recommended: true
interface_uid:
name: interface_uid
description: The unique identifier of the network interface.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Network Interface ID
rank: 1000
alias: interface_uid
owner: Endpoint
domain_of:
- Endpoint
range: string
recommended: true
ip:
name: ip
description: The IP address of the endpoint, in either IPv4 or IPv6 format.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- IP Address
rank: 1000
alias: ip
owner: Endpoint
domain_of:
- Databucket
- Endpoint
- LoadBalancer
- NetworkInterface
- Reporter
- ResourceDetails
- Device
range: IpT
recommended: true
location:
name: location
description: The geographical location of the endpoint.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Geo Location
rank: 1000
alias: location
owner: Endpoint
domain_of:
- Osint
- Aircraft
- DomainContact
- Endpoint
- LdapPerson
- ManagedEntity
- UnmannedAerialSystem
- Device
range: Location
mac:
name: mac
description: The Media Access Control (MAC) address of the endpoint.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- MAC Address
rank: 1000
alias: mac
owner: Endpoint
domain_of:
- Endpoint
- NetworkInterface
range: MacT
mac_vendor:
name: mac_vendor
description: 'The vendor or manufacturer of the endpoint''s network interface
controller
(NIC), as identified from the MAC address.'
notes:
- 'IEEE Registration Authority —
https://standards.ieee.org/products-programs/regauth/'
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://standards.ieee.org/products-programs/regauth/
aliases:
- MAC Vendor
rank: 1000
alias: mac_vendor
owner: Endpoint
domain_of:
- Endpoint
range: string
name:
name: name
description: The short name of the endpoint.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Name
rank: 1000
alias: name
owner: Endpoint
domain_of:
- AnalysisTarget
- Observable
- Os
- Osint
- Package
- Parameter
- PrivilegeInfo
- San
- Scim
- Script
- ServicePrivilegeAnalysis
- SoftwareComponent
- Sso
- StartupItem
- ThreatActor
- Token
- Entity
- Resource
- Account
- Agent
- AiModel
- Aircraft
- Analytic
- ApplicationObject
- Assessment
- AutonomousSystem
- Campaign
- Check
- CisBenchmark
- CisBenchmarkResult
- CisControl
- ClassifierDetails
- Container
- D3fTactic
- D3fTechnique
- Database
- Databucket
- DomainContact
- Edge
- Endpoint
- Enrichment
- EnvironmentVariable
- Evidences
- Extension
- Feature
- File
- Graph
- Group
- HttpCookie
- HttpHeader
- Idp
- Image
- Job
- Kernel
- KeyValueObject
- LoadBalancer
- Logger
- Malware
- ManagedEntity
- MessageContext
- Metric
- Mitigation
- NetworkInterface
- Node
- Organization
- PeripheralDevice
- Policy
- ProcessEntity
- Product
- QueryInfo
- Reporter
- ResourceDetails
- Rule
- Scan
- Service
- SubTechnique
- Table
- Tactic
- Technique
- Trait
- TransformationInfo
- UnmannedAerialSystem
- User
- WebResource
- Device
- FtpActivity
- RegValue
- WinResource
- WinService
- PrefetchQuery
range: string
recommended: true
os:
name: os
description: The endpoint operating system.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- OS
rank: 1000
alias: os
owner: Endpoint
domain_of:
- Advisory
- Endpoint
- KbArticle
range: Os
owner:
name: owner
description: 'The identity of the service or user account that owns the endpoint
or was last
logged into it.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Owner
rank: 1000
alias: owner
owner: Endpoint
domain_of:
- AffectedCode
- ApplicationObject
- Databucket
- Endpoint
- File
- ResourceDetails
range: User
recommended: true
pool:
name: pool
description: The pool of desktops or virtual machines to which the endpoint belongs.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Pool
rank: 1000
alias: pool
owner: Endpoint
domain_of:
- Endpoint
range: Group
subnet_uid:
name: subnet_uid
description: The unique identifier of a virtual subnet.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Subnet UID
rank: 1000
alias: subnet_uid
owner: Endpoint
domain_of:
- Endpoint
range: string
type:
name: type
description: 'The endpoint type. For example: <code>unknown</code>, <code>server</code>,
<code>desktop</code>, <code>laptop</code>, <code>tablet</code>,
<code>mobile</code>, <code>virtual</code>, <code>browser</code>, or
<code>other</code>.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Type
rank: 1000
alias: type
owner: Endpoint
domain_of:
- AnalysisTarget
- Observable
- Os
- Osint
- Package
- PrivilegeInfo
- ProgrammaticCredential
- RelatedEvent
- San
- Sbom
- Script
- SoftwareComponent
- StartupItem
- ThreatActor
- Ticket
- Timespan
- TlsExtension
- Token
- Dns
- Resource
- Account
- Agent
- Analytic
- ApplicationObject
- AuthenticationToken
- ClassifierDetails
- Cve
- Database
- Databucket
- DiscoveryDetails
- DnsAnswer
- DomainContact
- EncryptionDetails
- Endpoint
- Enrichment
- File
- Graph
- Group
- Ja4Fingerprint
- Kernel
- ManagedEntity
- Metadata
- Module
- NetworkEndpoint
- NetworkInterface
- Node
- PeripheralDevice
- Policy
- Rule
- Scan
- Trait
- UnmannedAerialSystem
- UnmannedSystemOperatingArea
- User
- WebResource
- Device
- DatastoreActivity
- FtpActivity
- RegValue
- WinResource
range: string
type_id:
name: type_id
annotations:
sibling:
tag: sibling
value: type
description: The endpoint type ID.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Type ID
rank: 1000
alias: type_id
owner: Endpoint
domain_of:
- Observable
- Os
- Osint
- Package
- PrivilegeInfo
- Sbom
- Script
- SoftwareComponent
- StartupItem
- ThreatActor
- Ticket
- Timespan
- TlsExtension
- Token
- Account
- Agent
- Analytic
- AuthenticationToken
- Database
- Databucket
- DomainContact
- Endpoint
- File
- Ja4Fingerprint
- Kernel
- ManagedEntity
- NetworkEndpoint
- NetworkInterface
- PeripheralDevice
- Scan
- UnmannedAerialSystem
- UnmannedSystemOperatingArea
- User
- Device
- DatastoreActivity
- RegValue
- WinResource
range: EndpointTypeIdEnum
recommended: true
uid:
name: uid
description: The unique identifier of the endpoint.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Unique ID
rank: 1000
alias: uid
owner: Endpoint
domain_of:
- Osint
- Package
- ProgrammaticCredential
- RelatedEvent
- Request
- Sbom
- Scim
- Script
- Session
- Span
- Sso
- Ticket
- Token
- Trace
- Entity
- Resource
- Account
- Advisory
- Agent
- AiModel
- Aircraft
- Analytic
- ApplicationObject
- Assessment
- Certificate
- Check
- ClassifierDetails
- Container
- Cve
- Cwe
- D3fTactic
- D3fTechnique
- DataClassification
- Database
- Databucket
- DomainContact
- Edge
- Email
- Endpoint
- Evidences
- Extension
- Feature
- File
- FindingObject
- FindingInfo
- Graph
- Group
- HttpRequest
- Idp
- Image
- KbArticle
- LoadBalancer
- Logger
- Malware
- ManagedEntity
- MessageContext
- Metadata
- Mitigation
- NetworkConnectionInfo
- NetworkEndpoint
- NetworkInterface
- Node
- Organization
- PeripheralDevice
- Policy
- ProcessEntity
- Product
- QueryInfo
- Reporter
- Rule
- Scan
- Service
- SubTechnique
- Table
- Tactic
- Technique
- Trait
- TransformationInfo
- UnmannedAerialSystem
- User
- WebResource
- Device
- WinResource
range: string
recommended: true
vlan_uid:
name: vlan_uid
description: The Virtual LAN identifier.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- VLAN
rank: 1000
alias: vlan_uid
owner: Endpoint
domain_of:
- Endpoint
range: string
vpc_uid:
name: vpc_uid
description: The unique identifier of the Virtual Private Cloud (VPC).
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- VPC UID
rank: 1000
alias: vpc_uid
owner: Endpoint
domain_of:
- Endpoint
range: string
zone:
name: zone
description: The network zone or LAN segment.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Network Zone
rank: 1000
alias: zone
owner: Endpoint
domain_of:
- Token
- Cloud
- Databucket
- Endpoint
- ResourceDetails
range: string
container:
name: container
annotations:
group:
tag: group
value: context
description: 'The information describing an instance of a container. A container
is a
prepackaged, portable system image that runs isolated on an existing system
using a container runtime like containerd.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Container
rank: 1000
alias: container
owner: Endpoint
domain_of:
- Evidences
- ContainerProfile
- CloudResourcesInventoryInfo
range: Container
recommended: true
namespace_pid:
name: namespace_pid
annotations:
group:
tag: group
value: context
description: 'If running under a process namespace (such as in a container), the
process
identifier within that process namespace.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Namespace PID
rank: 1000
alias: namespace_pid
owner: Endpoint
domain_of:
- ContainerProfile
range: integer
recommended: true
rules:
- postconditions:
any_of:
- slot_conditions:
ip:
name: ip
required: true
- slot_conditions:
uid:
name: uid
required: true
- slot_conditions:
name:
name: name
required: true
- slot_conditions:
hostname:
name: hostname
required: true
- slot_conditions:
instance_uid:
name: instance_uid
required: true
- slot_conditions:
interface_uid:
name: interface_uid
required: true
- slot_conditions:
interface_name:
name: interface_name
required: true
description: 'OCSF at_least_one: at least one of [''ip'', ''uid'', ''name'', ''hostname'',
''instance_uid'', ''interface_uid'', ''interface_name''] must be set.'