Agent
Agent is a searchable entity at the top of Query's UI.
agent
An Agent (also known as a Sensor) is typically installed on an Operating System (OS) and serves as a specialized software component that can be designed to monitor, detect, collect, archive, or take action. These activities and possible actions are defined by the upstream system controlling the Agent and its intended purpose. For instance, an Agent can include Endpoint Detection & Response (EDR) agents, backup/disaster recovery sensors, Application Performance Monitoring or profiling sensors, and similar software.
Contents
Attributes
| Caption | Name | Type | Is Array | Default | Description |
|---|---|---|---|---|---|
| Agent Name | name | String |
The name of the agent or sensor. For example: AWS SSM Agent.
|
||
| Agent Policies | policies | Policy | Describes the various policies that may be applied or enforced by an agent or sensor. E.g., Conditional Access, prevention, auto-update, tamper protection, destination configuration, etc. | ||
| Raw Data | raw_data | JSON | The event data as received from the event source. | ||
| Record ID | record_id | String | Unique identifier for the object | ||
| Agent Type | type | String | The normalized caption of the type_id value for the agent or sensor. In the case of 'Other' or 'Unknown', it is defined by the event source. | ||
| Type ID | type_id | Integer |
The normalized representation of an agent or sensor. E.g., EDR, vulnerability management, APM, backup & recovery, etc.
|
||
| Agent ID | uid | String |
The UID of the agent or sensor, sometimes known as a Sensor ID or aid.
|
||
| Alternate Agent ID | uid_alt | String | An alternative or contextual identifier for the agent or sensor, such as a configuration, organization, or license UID. | ||
| Unmapped Data | unmapped | Unmapped | The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source. | ||
| Vendor Name | vendor_name | String |
The company or author who created the agent or sensor. For example: Crowdstrike.
|
||
| Agent Version | version | String |
The semantic version of the agent or sensor, e.g., 7.101.50.0.
|
Referenced By
Context
JSON
{
"caption": "Agent",
"description": "An Agent (also known as a Sensor) is typically installed on an Operating System (OS) and serves as a specialized software component that can be designed to monitor, detect, collect, archive, or take action. These activities and possible actions are defined by the upstream system controlling the Agent and its intended purpose. For instance, an Agent can include Endpoint Detection & Response (EDR) agents, backup/disaster recovery sensors, Application Performance Monitoring or profiling sensors, and similar software.",
"extends": "object",
"name": "agent",
"attributes": {
"type_id": {
"caption": "Type ID",
"description": "The normalized representation of an agent or sensor. E.g., EDR, vulnerability management, APM, backup & recovery, etc.",
"enum": {
"1": {
"caption": "Endpoint Detection and Response",
"description": "Any EDR sensor or agent. Or any tool that provides similar threat detection, anti-malware, anti-ransomware, or similar capabilities. E.g., Crowdstrike Falcon, Microsoft Defender for Endpoint, Wazuh."
},
"2": {
"caption": "Data Loss Prevention",
"description": "Any DLP sensor or agent. Or any tool that provides similar data classification, data loss detection, and/or data loss prevention capabilities. E.g., Forcepoint DLP, Microsoft Purview, Symantec DLP."
},
"3": {
"caption": "Backup & Recovery",
"description": "Any agent or sensor that provides backups, archival, or recovery capabilities. E.g., Azure Backup, AWS Backint Agent."
},
"4": {
"caption": "Performance Monitoring & Observability",
"description": "Any agent or sensor that provides Application Performance Monitoring (APM), active tracing, profiling, or other observability use cases and optionally forwards the logs. E.g., New Relic Agent, Datadog Agent, Azure Monitor Agent."
},
"5": {
"caption": "Vulnerability Management",
"description": "Any agent or sensor that provides vulnerability management or scanning capabilities. E.g., Qualys VMDR, Microsoft Defender for Endpoint, Crowdstrike Spotlight, Amazon Inspector Agent."
},
"6": {
"caption": "Log Forwarding",
"description": "Any agent or sensor that forwards logs to a 3rd party storage system such as a data lake or SIEM. E.g., Splunk Universal Forwarder, Tenzir, FluentBit, Amazon CloudWatch Agent, Amazon Kinesis Agent."
},
"7": {
"caption": "Mobile Device Management",
"description": "Any agent or sensor responsible for providing Mobile Device Management (MDM) or Mobile Enterprise Management (MEM) capabilities. E.g., JumpCloud Agent, Esper Agent, Jamf Pro binary."
},
"8": {
"caption": "Configuration Management",
"description": "Any agent or sensor that provides configuration management of a device, such as scanning for software, license management, or applying configurations. E.g., AWS Systems Manager Agent, Flexera, ServiceNow MID Server."
},
"9": {
"caption": "Remote Access",
"description": "Any agent or sensor that provides remote access capabilities to a device. E.g., BeyondTrust, Amazon Systems Manager Agent, Verkada Agent."
},
"0": {
"caption": "Unknown",
"description": "The type is unknown."
},
"99": {
"caption": "Other",
"description": "The type is not mapped. See the <code>type</code> attribute, which contains a data source specific value."
}
},
"requirement": "recommended",
"sibling": "type",
"type": "integer_t"
},
"type": {
"caption": "Agent Type",
"description": "The normalized caption of the type_id value for the agent or sensor. In the case of 'Other' or 'Unknown', it is defined by the event source.",
"requirement": "optional",
"type": "string_t"
},
"uid": {
"caption": "Agent ID",
"description": "The UID of the agent or sensor, sometimes known as a Sensor ID or <code>aid</code>.",
"requirement": "recommended",
"type": "string_t"
},
"uid_alt": {
"caption": "Alternate Agent ID",
"description": "An alternative or contextual identifier for the agent or sensor, such as a configuration, organization, or license UID.",
"requirement": "optional",
"type": "string_t"
},
"version": {
"caption": "Agent Version",
"description": "The semantic version of the agent or sensor, e.g., <code>7.101.50.0</code>.",
"requirement": "optional",
"type": "string_t"
},
"vendor_name": {
"description": "The company or author who created the agent or sensor. For example: <code>Crowdstrike</code>.",
"requirement": "optional",
"caption": "Vendor Name",
"type": "string_t"
},
"name": {
"caption": "Agent Name",
"description": "The name of the agent or sensor. For example: <code>AWS SSM Agent</code>.",
"requirement": "recommended",
"type": "string_t"
},
"policies": {
"caption": "Agent Policies",
"description": "Describes the various policies that may be applied or enforced by an agent or sensor. E.g., Conditional Access, prevention, auto-update, tamper protection, destination configuration, etc.",
"requirement": "optional",
"type": "policy",
"is_array": true
},
"raw_data": {
"group": "context",
"caption": "Raw Data",
"description": "The event data as received from the event source.",
"type": "json_t"
},
"record_id": {
"description": "Unique identifier for the object",
"group": "primary",
"requirement": "required",
"caption": "Record ID",
"type": "string_t"
},
"unmapped": {
"caption": "Unmapped Data",
"description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.",
"type": "unmapped",
"is_array": true
}
},
"constraints": {
"at_least_one": [
"uid",
"name"
]
}
}