Class: NetworkEndpoint
The Network Endpoint object describes characteristics of a network endpoint.
These can be a source or destination of a network connection.
URI: ocsf:NetworkEndpoint
classDiagram
class NetworkEndpoint
click NetworkEndpoint href "../NetworkEndpoint/"
Endpoint <|-- NetworkEndpoint
click Endpoint href "../Endpoint/"
NetworkEndpoint <|-- NetworkProxy
click NetworkProxy href "../NetworkProxy/"
NetworkEndpoint : agent_list
NetworkEndpoint --> "*" Agent : agent_list
click Agent href "../Agent/"
NetworkEndpoint : autonomous_system
NetworkEndpoint --> "0..1" AutonomousSystem : autonomous_system
click AutonomousSystem href "../AutonomousSystem/"
NetworkEndpoint : container
NetworkEndpoint --> "0..1 _recommended_" Container : container
click Container href "../Container/"
NetworkEndpoint : domain
NetworkEndpoint : fingerprints
NetworkEndpoint --> "*" Fingerprint : fingerprints
click Fingerprint href "../Fingerprint/"
NetworkEndpoint : hostname
NetworkEndpoint : hw_info
NetworkEndpoint --> "0..1" DeviceHwInfo : hw_info
click DeviceHwInfo href "../DeviceHwInfo/"
NetworkEndpoint : instance_uid
NetworkEndpoint : interface_name
NetworkEndpoint : interface_uid
NetworkEndpoint : intermediate_ips
NetworkEndpoint : ip
NetworkEndpoint : isp
NetworkEndpoint : isp_org
NetworkEndpoint : location
NetworkEndpoint --> "0..1" Location : location
click Location href "../Location/"
NetworkEndpoint : mac
NetworkEndpoint : mac_vendor
NetworkEndpoint : name
NetworkEndpoint : namespace_pid
NetworkEndpoint : network_scope
NetworkEndpoint : network_scope_id
NetworkEndpoint --> "0..1" NetworkScopeIdEnum : network_scope_id
click NetworkScopeIdEnum href "../NetworkScopeIdEnum/"
NetworkEndpoint : os
NetworkEndpoint --> "0..1" Os : os
click Os href "../Os/"
NetworkEndpoint : owner
NetworkEndpoint --> "0..1 _recommended_" User : owner
click User href "../User/"
NetworkEndpoint : pool
NetworkEndpoint --> "0..1" Group : pool
click Group href "../Group/"
NetworkEndpoint : port
NetworkEndpoint : proxy_endpoint
NetworkEndpoint --> "0..1" NetworkProxy : proxy_endpoint
click NetworkProxy href "../NetworkProxy/"
NetworkEndpoint : subnet_uid
NetworkEndpoint : svc_name
NetworkEndpoint : type
NetworkEndpoint : type_id
NetworkEndpoint --> "0..1 _recommended_" EndpointTypeIdEnum : type_id
click EndpointTypeIdEnum href "../EndpointTypeIdEnum/"
NetworkEndpoint : uid
NetworkEndpoint : vlan_uid
NetworkEndpoint : vpc_uid
NetworkEndpoint : zone
Inheritance
- OcsfObject
- Object
- Entity
- Endpoint [ ContainerProfile]
- NetworkEndpoint
- Endpoint [ ContainerProfile]
- Entity
- Object
Slots
| Name | Cardinality and Range | Description | Inheritance |
|---|---|---|---|
| autonomous_system | 0..1 AutonomousSystem |
The Autonomous System details associated with an IP address | direct |
| fingerprints | * Fingerprint |
Fingerprints that identify the specific application implementation on this | direct |
| intermediate_ips | * IpT |
The intermediate IP Addresses | direct |
| isp | 0..1 String |
The name of the Internet Service Provider (ISP) | direct |
| isp_org | 0..1 String |
The organization name of the Internet Service Provider (ISP) | direct |
| network_scope | 0..1 String |
Indicates whether the endpoint resides inside the customer’s network, outside | direct |
| network_scope_id | 0..1 NetworkScopeIdEnum |
The normalized identifier of the endpoint’s network scope | direct |
| port | 0..1 recommended PortT |
The port used for communication within the network connection | direct |
| proxy_endpoint | 0..1 NetworkProxy |
The network proxy information pertaining to a specific endpoint | direct |
| svc_name | 0..1 recommended String |
The service name in service-to-service connections | direct |
| type | 0..1 String |
The network endpoint type | direct |
| type_id | 0..1 recommended EndpointTypeIdEnum |
The network endpoint type ID | direct |
| uid | 0..1 recommended String |
The unique identifier of the endpoint | direct |
| agent_list | * Agent |
A list of agent objects associated with a device, endpoint, or |
Endpoint |
| domain | 0..1 String |
The name of the domain that the endpoint belongs to or that corresponds to th... | Endpoint |
| hostname | 0..1 recommended HostnameT |
The fully qualified name of the endpoint | Endpoint |
| hw_info | 0..1 DeviceHwInfo |
The endpoint hardware information | Endpoint |
| instance_uid | 0..1 recommended String |
The unique identifier of a VM instance | Endpoint |
| interface_name | 0..1 recommended String |
The name of the network interface (e | Endpoint |
| interface_uid | 0..1 recommended String |
The unique identifier of the network interface | Endpoint |
| ip | 0..1 recommended IpT |
The IP address of the endpoint, in either IPv4 or IPv6 format | Endpoint |
| location | 0..1 Location |
The geographical location of the endpoint | Endpoint |
| mac | 0..1 MacT |
The Media Access Control (MAC) address of the endpoint | Endpoint |
| mac_vendor | 0..1 String |
The vendor or manufacturer of the endpoint's network interface controller | Endpoint |
| name | 0..1 recommended String |
The short name of the endpoint | Endpoint, Entity |
| os | 0..1 Os |
The endpoint operating system | Endpoint |
| owner | 0..1 recommended User |
The identity of the service or user account that owns the endpoint or was las... | Endpoint |
| pool | 0..1 Group |
The pool of desktops or virtual machines to which the endpoint belongs | Endpoint |
| subnet_uid | 0..1 String |
The unique identifier of a virtual subnet | Endpoint |
| vlan_uid | 0..1 String |
The Virtual LAN identifier | Endpoint |
| vpc_uid | 0..1 String |
The unique identifier of the Virtual Private Cloud (VPC) | Endpoint |
| zone | 0..1 String |
The network zone or LAN segment | Endpoint |
| container | 0..1 recommended Container |
The information describing an instance of a container | ContainerProfile |
| namespace_pid | 0..1 recommended Integer |
If running under a process namespace (such as in a container), the process | ContainerProfile |
Usages
Rules
| Rule Applied | Preconditions | Postconditions | Elseconditions |
|---|---|---|---|
| any_of | [{'slot_conditions': {'ip': {'required': True}}}, {'slot_conditions': {'uid': {'required': True}}}, {'slot_conditions': {}}, {'slot_conditions': {'hostname': {'required': True}}}, {'slot_conditions': {'svc_name': {'required': True}}}, {'slot_conditions': {'instance_uid': {'required': True}}}, {'slot_conditions': {'interface_uid': {'required': True}}}, {'slot_conditions': {'interface_name': {'required': True}}}, {'slot_conditions': {'domain': {'required': True}}}] |
In Subsets
Aliases
- Network Endpoint
See Also
Notes
- D3FEND™ Ontology d3f:ComputerNetworkNode. — https://d3fend.mitre.org/dao/artifact/d3f:ComputerNetworkNode/
Identifier and Mapping Information
Annotations
| property | value |
|---|---|
| ocsf_constraints | {"at_least_one": ["ip", "uid", "name", "hostname", "svc_name", "instance_uid", |
| "interface_uid", "interface_name", "domain"]} |
Schema Source
- from schema: https://w3id.org/lmodel/ocsf
Mappings
| Mapping Type | Mapped Value |
|---|---|
| self | ocsf:NetworkEndpoint |
| native | ocsf:NetworkEndpoint |
LinkML Source
Direct
name: NetworkEndpoint
annotations:
ocsf_constraints:
tag: ocsf_constraints
value: '{"at_least_one": ["ip", "uid", "name", "hostname", "svc_name", "instance_uid",
"interface_uid", "interface_name", "domain"]}'
description: 'The Network Endpoint object describes characteristics of a network endpoint.
These can be a source or destination of a network connection.'
notes:
- 'D3FEND™ Ontology d3f:ComputerNetworkNode. —
https://d3fend.mitre.org/dao/artifact/d3f:ComputerNetworkNode/'
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://d3fend.mitre.org/dao/artifact/d3f:ComputerNetworkNode/
aliases:
- Network Endpoint
is_a: Endpoint
slots:
- autonomous_system
- fingerprints
- intermediate_ips
- isp
- isp_org
- network_scope
- network_scope_id
- port
- proxy_endpoint
- svc_name
- type
- type_id
- uid
slot_usage:
fingerprints:
name: fingerprints
description: 'Fingerprints that identify the specific application implementation
on this
endpoint, such as Cisco NPF or HASSH.'
port:
name: port
description: The port used for communication within the network connection.
recommended: true
proxy_endpoint:
name: proxy_endpoint
description: 'The network proxy information pertaining to a specific endpoint.
This can be
used to describe information pertaining to network address translation (NAT).'
svc_name:
name: svc_name
recommended: true
type:
name: type
description: 'The network endpoint type. For example: <code>unknown</code>,
<code>server</code>, <code>desktop</code>, <code>laptop</code>,
<code>tablet</code>, <code>mobile</code>, <code>virtual</code>,
<code>browser</code>, or <code>other</code>.'
type_id:
name: type_id
description: The network endpoint type ID.
rules:
- postconditions:
any_of:
- slot_conditions:
ip:
name: ip
required: true
- slot_conditions:
uid:
name: uid
required: true
- slot_conditions:
name:
name: name
required: true
- slot_conditions:
hostname:
name: hostname
required: true
- slot_conditions:
svc_name:
name: svc_name
required: true
- slot_conditions:
instance_uid:
name: instance_uid
required: true
- slot_conditions:
interface_uid:
name: interface_uid
required: true
- slot_conditions:
interface_name:
name: interface_name
required: true
- slot_conditions:
domain:
name: domain
required: true
description: 'OCSF at_least_one: at least one of [''ip'', ''uid'', ''name'', ''hostname'',
''svc_name'', ''instance_uid'', ''interface_uid'', ''interface_name'', ''domain'']
must
be set.'
Induced
name: NetworkEndpoint
annotations:
ocsf_constraints:
tag: ocsf_constraints
value: '{"at_least_one": ["ip", "uid", "name", "hostname", "svc_name", "instance_uid",
"interface_uid", "interface_name", "domain"]}'
description: 'The Network Endpoint object describes characteristics of a network endpoint.
These can be a source or destination of a network connection.'
notes:
- 'D3FEND™ Ontology d3f:ComputerNetworkNode. —
https://d3fend.mitre.org/dao/artifact/d3f:ComputerNetworkNode/'
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://d3fend.mitre.org/dao/artifact/d3f:ComputerNetworkNode/
aliases:
- Network Endpoint
is_a: Endpoint
slot_usage:
fingerprints:
name: fingerprints
description: 'Fingerprints that identify the specific application implementation
on this
endpoint, such as Cisco NPF or HASSH.'
port:
name: port
description: The port used for communication within the network connection.
recommended: true
proxy_endpoint:
name: proxy_endpoint
description: 'The network proxy information pertaining to a specific endpoint.
This can be
used to describe information pertaining to network address translation (NAT).'
svc_name:
name: svc_name
recommended: true
type:
name: type
description: 'The network endpoint type. For example: <code>unknown</code>,
<code>server</code>, <code>desktop</code>, <code>laptop</code>,
<code>tablet</code>, <code>mobile</code>, <code>virtual</code>,
<code>browser</code>, or <code>other</code>.'
type_id:
name: type_id
description: The network endpoint type ID.
attributes:
autonomous_system:
name: autonomous_system
description: The Autonomous System details associated with an IP address.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Autonomous System
rank: 1000
alias: autonomous_system
owner: NetworkEndpoint
domain_of:
- Osint
- Whois
- NetworkEndpoint
range: AutonomousSystem
fingerprints:
name: fingerprints
description: 'Fingerprints that identify the specific application implementation
on this
endpoint, such as Cisco NPF or HASSH.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Fingerprints
rank: 1000
alias: fingerprints
owner: NetworkEndpoint
domain_of:
- Certificate
- NetworkEndpoint
range: Fingerprint
multivalued: true
intermediate_ips:
name: intermediate_ips
description: 'The intermediate IP Addresses. For example, the IP addresses in
the HTTP
X-Forwarded-For header.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Intermediate IP Addresses
rank: 1000
alias: intermediate_ips
owner: NetworkEndpoint
domain_of:
- NetworkEndpoint
range: IpT
multivalued: true
isp:
name: isp
description: The name of the Internet Service Provider (ISP).
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- ISP Name
rank: 1000
alias: isp
owner: NetworkEndpoint
domain_of:
- Whois
- Location
- NetworkEndpoint
range: string
isp_org:
name: isp_org
description: 'The organization name of the Internet Service Provider (ISP). This
represents
the parent organization or company that owns/operates the ISP. For example,
Comcast Corporation would be the ISP org for Xfinity internet service. This
attribute helps identify the ultimate provider when ISPs operate under
different brand names.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- ISP Org
rank: 1000
alias: isp_org
owner: NetworkEndpoint
domain_of:
- Whois
- NetworkEndpoint
range: string
network_scope:
name: network_scope
description: 'Indicates whether the endpoint resides inside the customer’s network,
outside
on the Internet, or if its location relative to the customer’s network cannot
be determined. The value is normalized to the caption of the
<code>network_scope_id</code>.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Network Scope
rank: 1000
alias: network_scope
owner: NetworkEndpoint
domain_of:
- NetworkEndpoint
range: string
network_scope_id:
name: network_scope_id
annotations:
sibling:
tag: sibling
value: network_scope
description: 'The normalized identifier of the endpoint’s network scope. The normalized
network scope identifier indicates whether the endpoint resides inside the
customer’s network, outside on the Internet, or if its location relative to
the
customer’s network cannot be determined.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Network Scope ID
rank: 1000
alias: network_scope_id
owner: NetworkEndpoint
domain_of:
- NetworkEndpoint
range: NetworkScopeIdEnum
port:
name: port
description: The port used for communication within the network connection.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Port
rank: 1000
alias: port
owner: NetworkEndpoint
domain_of:
- PortInfo
- Url
- NetworkEndpoint
- FtpActivity
range: PortT
recommended: true
proxy_endpoint:
name: proxy_endpoint
description: 'The network proxy information pertaining to a specific endpoint.
This can be
used to describe information pertaining to network address translation (NAT).'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Proxy Endpoint
rank: 1000
alias: proxy_endpoint
owner: NetworkEndpoint
domain_of:
- NetworkEndpoint
- NetworkProxyProfile
- UnmannedSystemsEvent
range: NetworkProxy
svc_name:
name: svc_name
description: 'The service name in service-to-service connections. For example,
AWS VPC logs
the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection
is coming from or going to an AWS service.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Service Name
rank: 1000
alias: svc_name
owner: NetworkEndpoint
domain_of:
- NetworkEndpoint
- WinResource
range: string
recommended: true
type:
name: type
description: 'The network endpoint type. For example: <code>unknown</code>,
<code>server</code>, <code>desktop</code>, <code>laptop</code>,
<code>tablet</code>, <code>mobile</code>, <code>virtual</code>,
<code>browser</code>, or <code>other</code>.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Type
rank: 1000
alias: type
owner: NetworkEndpoint
domain_of:
- AnalysisTarget
- Observable
- Os
- Osint
- Package
- PrivilegeInfo
- ProgrammaticCredential
- RelatedEvent
- San
- Sbom
- Script
- SoftwareComponent
- StartupItem
- ThreatActor
- Ticket
- Timespan
- TlsExtension
- Token
- Dns
- Resource
- Account
- Agent
- Analytic
- ApplicationObject
- AuthenticationToken
- ClassifierDetails
- Cve
- Database
- Databucket
- DiscoveryDetails
- DnsAnswer
- DomainContact
- EncryptionDetails
- Endpoint
- Enrichment
- File
- Graph
- Group
- Ja4Fingerprint
- Kernel
- ManagedEntity
- Metadata
- Module
- NetworkEndpoint
- NetworkInterface
- Node
- PeripheralDevice
- Policy
- Rule
- Scan
- Trait
- UnmannedAerialSystem
- UnmannedSystemOperatingArea
- User
- WebResource
- Device
- DatastoreActivity
- FtpActivity
- RegValue
- WinResource
range: string
type_id:
name: type_id
annotations:
sibling:
tag: sibling
value: type
description: The network endpoint type ID.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Type ID
rank: 1000
alias: type_id
owner: NetworkEndpoint
domain_of:
- Observable
- Os
- Osint
- Package
- PrivilegeInfo
- Sbom
- Script
- SoftwareComponent
- StartupItem
- ThreatActor
- Ticket
- Timespan
- TlsExtension
- Token
- Account
- Agent
- Analytic
- AuthenticationToken
- Database
- Databucket
- DomainContact
- Endpoint
- File
- Ja4Fingerprint
- Kernel
- ManagedEntity
- NetworkEndpoint
- NetworkInterface
- PeripheralDevice
- Scan
- UnmannedAerialSystem
- UnmannedSystemOperatingArea
- User
- Device
- DatastoreActivity
- RegValue
- WinResource
range: EndpointTypeIdEnum
recommended: true
uid:
name: uid
description: The unique identifier of the endpoint.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Unique ID
rank: 1000
alias: uid
owner: NetworkEndpoint
domain_of:
- Osint
- Package
- ProgrammaticCredential
- RelatedEvent
- Request
- Sbom
- Scim
- Script
- Session
- Span
- Sso
- Ticket
- Token
- Trace
- Entity
- Resource
- Account
- Advisory
- Agent
- AiModel
- Aircraft
- Analytic
- ApplicationObject
- Assessment
- Certificate
- Check
- ClassifierDetails
- Container
- Cve
- Cwe
- D3fTactic
- D3fTechnique
- DataClassification
- Database
- Databucket
- DomainContact
- Edge
- Email
- Endpoint
- Evidences
- Extension
- Feature
- File
- FindingObject
- FindingInfo
- Graph
- Group
- HttpRequest
- Idp
- Image
- KbArticle
- LoadBalancer
- Logger
- Malware
- ManagedEntity
- MessageContext
- Metadata
- Mitigation
- NetworkConnectionInfo
- NetworkEndpoint
- NetworkInterface
- Node
- Organization
- PeripheralDevice
- Policy
- ProcessEntity
- Product
- QueryInfo
- Reporter
- Rule
- Scan
- Service
- SubTechnique
- Table
- Tactic
- Technique
- Trait
- TransformationInfo
- UnmannedAerialSystem
- User
- WebResource
- Device
- WinResource
range: string
recommended: true
agent_list:
name: agent_list
description: 'A list of <code>agent</code> objects associated with a device, endpoint,
or
resource.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Agent List
rank: 1000
alias: agent_list
owner: NetworkEndpoint
domain_of:
- Databucket
- Endpoint
- ResourceDetails
range: Agent
multivalued: true
domain:
name: domain
description: 'The name of the domain that the endpoint belongs to or that corresponds
to the
endpoint.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Domain
rank: 1000
alias: domain
owner: NetworkEndpoint
domain_of:
- Url
- Whois
- Endpoint
- Group
- HttpCookie
- Idp
- User
- Device
range: string
hostname:
name: hostname
description: The fully qualified name of the endpoint.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Hostname
rank: 1000
alias: hostname
owner: NetworkEndpoint
domain_of:
- Url
- ApplicationObject
- Databucket
- DnsQuery
- Endpoint
- NetworkInterface
- Reporter
- ResourceDetails
- Device
range: HostnameT
recommended: true
hw_info:
name: hw_info
description: The endpoint hardware information.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Hardware Info
rank: 1000
alias: hw_info
owner: NetworkEndpoint
domain_of:
- Endpoint
- UnmannedAerialSystem
range: DeviceHwInfo
instance_uid:
name: instance_uid
description: The unique identifier of a VM instance.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Instance ID
rank: 1000
alias: instance_uid
owner: NetworkEndpoint
domain_of:
- Endpoint
range: string
recommended: true
interface_name:
name: interface_name
description: The name of the network interface (e.g. eth2).
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Network Interface Name
rank: 1000
alias: interface_name
owner: NetworkEndpoint
domain_of:
- Endpoint
range: string
recommended: true
interface_uid:
name: interface_uid
description: The unique identifier of the network interface.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Network Interface ID
rank: 1000
alias: interface_uid
owner: NetworkEndpoint
domain_of:
- Endpoint
range: string
recommended: true
ip:
name: ip
description: The IP address of the endpoint, in either IPv4 or IPv6 format.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- IP Address
rank: 1000
alias: ip
owner: NetworkEndpoint
domain_of:
- Databucket
- Endpoint
- LoadBalancer
- NetworkInterface
- Reporter
- ResourceDetails
- Device
range: IpT
recommended: true
location:
name: location
description: The geographical location of the endpoint.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Geo Location
rank: 1000
alias: location
owner: NetworkEndpoint
domain_of:
- Osint
- Aircraft
- DomainContact
- Endpoint
- LdapPerson
- ManagedEntity
- UnmannedAerialSystem
- Device
range: Location
mac:
name: mac
description: The Media Access Control (MAC) address of the endpoint.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- MAC Address
rank: 1000
alias: mac
owner: NetworkEndpoint
domain_of:
- Endpoint
- NetworkInterface
range: MacT
mac_vendor:
name: mac_vendor
description: 'The vendor or manufacturer of the endpoint''s network interface
controller
(NIC), as identified from the MAC address.'
notes:
- 'IEEE Registration Authority —
https://standards.ieee.org/products-programs/regauth/'
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://standards.ieee.org/products-programs/regauth/
aliases:
- MAC Vendor
rank: 1000
alias: mac_vendor
owner: NetworkEndpoint
domain_of:
- Endpoint
range: string
name:
name: name
description: The short name of the endpoint.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Name
rank: 1000
alias: name
owner: NetworkEndpoint
domain_of:
- AnalysisTarget
- Observable
- Os
- Osint
- Package
- Parameter
- PrivilegeInfo
- San
- Scim
- Script
- ServicePrivilegeAnalysis
- SoftwareComponent
- Sso
- StartupItem
- ThreatActor
- Token
- Entity
- Resource
- Account
- Agent
- AiModel
- Aircraft
- Analytic
- ApplicationObject
- Assessment
- AutonomousSystem
- Campaign
- Check
- CisBenchmark
- CisBenchmarkResult
- CisControl
- ClassifierDetails
- Container
- D3fTactic
- D3fTechnique
- Database
- Databucket
- DomainContact
- Edge
- Endpoint
- Enrichment
- EnvironmentVariable
- Evidences
- Extension
- Feature
- File
- Graph
- Group
- HttpCookie
- HttpHeader
- Idp
- Image
- Job
- Kernel
- KeyValueObject
- LoadBalancer
- Logger
- Malware
- ManagedEntity
- MessageContext
- Metric
- Mitigation
- NetworkInterface
- Node
- Organization
- PeripheralDevice
- Policy
- ProcessEntity
- Product
- QueryInfo
- Reporter
- ResourceDetails
- Rule
- Scan
- Service
- SubTechnique
- Table
- Tactic
- Technique
- Trait
- TransformationInfo
- UnmannedAerialSystem
- User
- WebResource
- Device
- FtpActivity
- RegValue
- WinResource
- WinService
- PrefetchQuery
range: string
recommended: true
os:
name: os
description: The endpoint operating system.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- OS
rank: 1000
alias: os
owner: NetworkEndpoint
domain_of:
- Advisory
- Endpoint
- KbArticle
range: Os
owner:
name: owner
description: 'The identity of the service or user account that owns the endpoint
or was last
logged into it.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Owner
rank: 1000
alias: owner
owner: NetworkEndpoint
domain_of:
- AffectedCode
- ApplicationObject
- Databucket
- Endpoint
- File
- ResourceDetails
range: User
recommended: true
pool:
name: pool
description: The pool of desktops or virtual machines to which the endpoint belongs.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Pool
rank: 1000
alias: pool
owner: NetworkEndpoint
domain_of:
- Endpoint
range: Group
subnet_uid:
name: subnet_uid
description: The unique identifier of a virtual subnet.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Subnet UID
rank: 1000
alias: subnet_uid
owner: NetworkEndpoint
domain_of:
- Endpoint
range: string
vlan_uid:
name: vlan_uid
description: The Virtual LAN identifier.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- VLAN
rank: 1000
alias: vlan_uid
owner: NetworkEndpoint
domain_of:
- Endpoint
range: string
vpc_uid:
name: vpc_uid
description: The unique identifier of the Virtual Private Cloud (VPC).
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- VPC UID
rank: 1000
alias: vpc_uid
owner: NetworkEndpoint
domain_of:
- Endpoint
range: string
zone:
name: zone
description: The network zone or LAN segment.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Network Zone
rank: 1000
alias: zone
owner: NetworkEndpoint
domain_of:
- Token
- Cloud
- Databucket
- Endpoint
- ResourceDetails
range: string
container:
name: container
annotations:
group:
tag: group
value: context
description: 'The information describing an instance of a container. A container
is a
prepackaged, portable system image that runs isolated on an existing system
using a container runtime like containerd.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Container
rank: 1000
alias: container
owner: NetworkEndpoint
domain_of:
- Evidences
- ContainerProfile
- CloudResourcesInventoryInfo
range: Container
recommended: true
namespace_pid:
name: namespace_pid
annotations:
group:
tag: group
value: context
description: 'If running under a process namespace (such as in a container), the
process
identifier within that process namespace.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Namespace PID
rank: 1000
alias: namespace_pid
owner: NetworkEndpoint
domain_of:
- ContainerProfile
range: integer
recommended: true
rules:
- postconditions:
any_of:
- slot_conditions:
ip:
name: ip
required: true
- slot_conditions:
uid:
name: uid
required: true
- slot_conditions:
name:
name: name
required: true
- slot_conditions:
hostname:
name: hostname
required: true
- slot_conditions:
svc_name:
name: svc_name
required: true
- slot_conditions:
instance_uid:
name: instance_uid
required: true
- slot_conditions:
interface_uid:
name: interface_uid
required: true
- slot_conditions:
interface_name:
name: interface_name
required: true
- slot_conditions:
domain:
name: domain
required: true
description: 'OCSF at_least_one: at least one of [''ip'', ''uid'', ''name'', ''hostname'',
''svc_name'', ''instance_uid'', ''interface_uid'', ''interface_name'', ''domain'']
must
be set.'