Device

Device is a searchable entity at the top of Query's UI.

device

The Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network. Defined by D3FEND d3f:Host.

Contents

Attributes

Caption Name Type Is Array Default Description
Agent List agent_list Agent A list of agent objects associated with a device, endpoint, or resource.
Autoscale UID autoscale_uid String The unique identifier of the cloud autoscale configuration.
Container container Container The information describing an instance of a container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd.
Created Time created_time Timestamp The time when the device was known to have been created.
Description desc String The description of the device, ordinarily as reported by the operating system.
Domain domain String The network domain where the device resides. For example: work.example.com.
First Seen first_seen_time Timestamp The initial discovery time of the device.
Groups groups Group The group names to which the device belongs. For example: ["Windows Laptops", "Engineering"].
Hostname hostname Hostname The device hostname.
Hardware Info hw_info Device Hardware Info The endpoint hardware information.
Hypervisor hypervisor String The name of the hypervisor running on the device. For example, Xen, VMware, Hyper-V, VirtualBox, etc.
Image image Image The image used as a template to run the virtual machine.
IMEI imei String The International Mobile Station Equipment Identifier that is associated with the device.
Instance ID instance_uid String The unique identifier of a VM instance.
Network Interface Name interface_name String The name of the network interface (e.g. eth2).
Network Interface ID interface_uid String The unique identifier of the network interface.
IP Address ip IP Address The device IP address, in either IPv4 or IPv6 format.
Compliant Device is_compliant Boolean The event occurred on a compliant device.
Managed Device is_managed Boolean The event occurred on a managed device.
Personal Device is_personal Boolean The event occurred on a personal device.
Trusted Device is_trusted Boolean The event occurred on a trusted device.
Last Seen last_seen_time Timestamp The most recent discovery time of the device.
Geo Location location Geo Location The geographical location of the device.
MAC Address mac MAC Address The Media Access Control (MAC) address of the endpoint.
Modified Time modified_time Timestamp The time when the device was last known to have been modified.
Name name String The alternate device name, ordinarily as assigned by an administrator.

Note: The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234.

Namespace PID namespace_pid Integer If running under a process namespace (such as in a container), the process identifier within that process namespace.
Network Interfaces network_interfaces Network Interface The network interfaces that are associated with the device, one for each unique MAC address/IP address/hostname/name combination.

Note: The first element of the array is the network information that pertains to the event.

Organization org Organization Organization and org unit related to the device.
Org Unit org_unit String The name of the organization to which the user belongs.

Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0

OS os Operating System (OS) The endpoint operating system.
Owner owner User The identity of the service or user account that owns the endpoint or was last logged into it.
Raw Data raw_data JSON The event data as received from the event source.
Record ID record_id String Unique identifier for the object
Region region String The region where the virtual machine is located. For example, an AWS Region.
Reputation Scores reputation Reputation Contains the original and normalized reputation scores.

Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0

Risk Level risk_level String The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source.
Risk Level ID risk_level_id Integer The normalized risk level id.
0
Info
1
Low
2
Medium
3
High
4
Critical
Risk Score risk_score Integer The risk score as reported by the event source.
Subnet subnet Subnet The subnet mask.
Subnet UID subnet_uid String The unique identifier of a virtual subnet.
Type type String The device type. For example: unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other.
Type ID type_id Integer 0 The device type ID.
0
Unknown
1
Server
2
Desktop
3
Laptop
4
Tablet
5
Mobile
6
Virtual
7
IOT
8
Browser
9
Firewall
10
Switch
11
Hub
99
Other
Unique ID uid String The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN.
Alternate ID uid_alt String An alternate unique identifier of the device if any. For example the ActiveDirectory DN.
Unmapped Data unmapped Unmapped The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.
VLAN vlan_uid String The Virtual LAN identifier.
VPC UID vpc_uid String The unique identifier of the Virtual Private Cloud (VPC).
Network Zone zone String The network zone or LAN segment.

Context

Device

JSON

            
{
  "caption": "Device",
  "description": "The Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network. Defined by D3FEND <a target='_blank' href='https://d3fend.mitre.org/dao/artifact/d3f:Host/'>d3f:Host</a>.",
  "extends": "endpoint",
  "name": "device",
  "attributes": {
    "autoscale_uid": {
      "requirement": "optional",
      "caption": "Autoscale UID",
      "description": "The unique identifier of the cloud autoscale configuration.",
      "type": "string_t"
    },
    "created_time": {
      "description": "The time when the device was known to have been created.",
      "requirement": "optional",
      "caption": "Created Time",
      "type": "timestamp_t"
    },
    "desc": {
      "caption": "Description",
      "description": "The description of the device, ordinarily as reported by the operating system.",
      "requirement": "optional",
      "type": "string_t"
    },
    "domain": {
      "description": "The network domain where the device resides. For example: <code>work.example.com</code>.",
      "requirement": "optional",
      "caption": "Domain",
      "type": "string_t"
    },
    "first_seen_time": {
      "description": "The initial discovery time of the device.",
      "requirement": "optional",
      "caption": "First Seen",
      "type": "timestamp_t"
    },
    "groups": {
      "description": "The group names to which the device belongs. For example: <code>[\"Windows Laptops\", \"Engineering\"]<code/>.",
      "requirement": "optional",
      "caption": "Groups",
      "is_array": true,
      "type": "group"
    },
    "hostname": {
      "description": "The device hostname.",
      "requirement": "recommended",
      "caption": "Hostname",
      "type": "hostname_t"
    },
    "hypervisor": {
      "requirement": "optional",
      "caption": "Hypervisor",
      "description": "The name of the hypervisor running on the device. For example, <code>Xen</code>, <code>VMware</code>, <code>Hyper-V</code>, <code>VirtualBox</code>, etc.",
      "type": "string_t"
    },
    "image": {
      "description": "The image used as a template to run the virtual machine.",
      "requirement": "optional",
      "caption": "Image",
      "type": "image"
    },
    "imei": {
      "requirement": "optional",
      "caption": "IMEI",
      "description": "The International Mobile Station Equipment Identifier that is associated with the device.",
      "type": "string_t"
    },
    "ip": {
      "description": "The device IP address, in either IPv4 or IPv6 format.",
      "requirement": "recommended",
      "caption": "IP Address",
      "type": "ip_t"
    },
    "is_compliant": {
      "requirement": "optional",
      "caption": "Compliant Device",
      "description": "The event occurred on a compliant device.",
      "type": "boolean_t"
    },
    "is_managed": {
      "requirement": "optional",
      "caption": "Managed Device",
      "description": "The event occurred on a managed device.",
      "type": "boolean_t"
    },
    "is_personal": {
      "requirement": "optional",
      "caption": "Personal Device",
      "description": "The event occurred on a personal device.",
      "type": "boolean_t"
    },
    "is_trusted": {
      "requirement": "optional",
      "caption": "Trusted Device",
      "description": "The event occurred on a trusted device.",
      "type": "boolean_t"
    },
    "last_seen_time": {
      "description": "The most recent discovery time of the device.",
      "requirement": "optional",
      "caption": "Last Seen",
      "type": "timestamp_t"
    },
    "location": {
      "description": "The geographical location of the device.",
      "requirement": "optional",
      "caption": "Geo Location",
      "type": "location"
    },
    "modified_time": {
      "description": "The time when the device was last known to have been modified.",
      "requirement": "optional",
      "caption": "Modified Time",
      "type": "timestamp_t"
    },
    "name": {
      "description": "The alternate device name, ordinarily as assigned by an administrator. <p><b>Note:</b> The <b>Name</b> could be any other string that helps to identify the device, such as a phone number; for example <code>310-555-1234</code>.</p>",
      "requirement": "recommended",
      "caption": "Name",
      "type": "string_t"
    },
    "network_interfaces": {
      "requirement": "optional",
      "caption": "Network Interfaces",
      "description": "The network interfaces that are associated with the device, one for each unique MAC address/IP address/hostname/name combination.<p><b>Note:</b> The first element of the array is the network information that pertains to the event.</p>",
      "is_array": true,
      "type": "network_interface"
    },
    "org": {
      "description": "Organization and org unit related to the device.",
      "requirement": "optional",
      "caption": "Organization",
      "type": "organization"
    },
    "region": {
      "description": "The region where the virtual machine is located. For example, an AWS Region.",
      "requirement": "recommended",
      "caption": "Region",
      "type": "string_t"
    },
    "risk_level": {
      "requirement": "optional",
      "caption": "Risk Level",
      "description": "The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source.",
      "type": "string_t"
    },
    "risk_level_id": {
      "requirement": "optional",
      "caption": "Risk Level ID",
      "description": "The normalized risk level id.",
      "enum": {
        "0": {
          "caption": "Info"
        },
        "1": {
          "caption": "Low"
        },
        "2": {
          "caption": "Medium"
        },
        "3": {
          "caption": "High"
        },
        "4": {
          "caption": "Critical"
        }
      },
      "sibling": "risk_level",
      "type": "integer_t"
    },
    "risk_score": {
      "requirement": "optional",
      "caption": "Risk Score",
      "description": "The risk score as reported by the event source.",
      "type": "integer_t"
    },
    "subnet": {
      "requirement": "optional",
      "caption": "Subnet",
      "description": "The subnet mask.",
      "type": "subnet_t"
    },
    "type": {
      "description": "The device type. For example: <code>unknown</code>, <code>server</code>, <code>desktop</code>, <code>laptop</code>, <code>tablet</code>, <code>mobile</code>, <code>virtual</code>, <code>browser</code>, or <code>other</code>.",
      "caption": "Type",
      "requirement": "optional",
      "type": "string_t"
    },
    "type_id": {
      "description": "The device type ID.",
      "requirement": "required",
      "caption": "Type ID",
      "enum": {
        "1": {
          "caption": "Server",
          "description": "A <a target='_blank' href='https://d3fend.mitre.org/dao/artifact/d3f:Server/'>server</a>."
        },
        "2": {
          "caption": "Desktop",
          "description": "A <a target='_blank' href='https://d3fend.mitre.org/dao/artifact/d3f:DesktopComputer/'>desktop computer</a>."
        },
        "3": {
          "caption": "Laptop",
          "description": "A <a target='_blank' href='https://d3fend.mitre.org/dao/artifact/d3f:LaptopComputer/'>laptop computer</a>."
        },
        "4": {
          "caption": "Tablet",
          "description": "A <a target='_blank' href='https://d3fend.mitre.org/dao/artifact/d3f:TabletComputer/'>tablet computer</a>."
        },
        "5": {
          "caption": "Mobile",
          "description": "A <a target='_blank' href='https://d3fend.mitre.org/dao/artifact/d3f:MobilePhone/'>mobile phone</a>."
        },
        "6": {
          "caption": "Virtual",
          "description": "A <a target='_blank' href='https://d3fend.mitre.org/dao/artifact/d3f:VirtualizationSoftware/'>virtual machine</a>."
        },
        "7": {
          "caption": "IOT",
          "description": "A <a target='_blank' href='https://www.techtarget.com/iotagenda/definition/IoT-device'>IOT (Internet of Things) device</a>."
        },
        "8": {
          "caption": "Browser",
          "description": "A <a target='_blank' href='https://d3fend.mitre.org/dao/artifact/d3f:Browser/'>web browser</a>."
        },
        "9": {
          "caption": "Firewall",
          "description": "A <a target='_blank' href='https://d3fend.mitre.org/dao/artifact/d3f:Firewall/'>networking firewall</a>."
        },
        "10": {
          "caption": "Switch",
          "description": "A <a target='_blank' href='https://d3fend.mitre.org/dao/artifact/d3f:Switch/'>networking switch</a>."
        },
        "11": {
          "caption": "Hub",
          "description": "A <a target='_blank' href='https://en.wikipedia.org/wiki/Ethernet_hub'>networking hub</a>."
        },
        "99": {
          "caption": "Other",
          "description": "The type is not mapped. See the <code>type</code> attribute, which contains a data source specific value."
        },
        "0": {
          "caption": "Unknown",
          "description": "The type is unknown."
        }
      },
      "sibling": "type",
      "type": "integer_t",
      "default": 0
    },
    "uid": {
      "description": "The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN.",
      "requirement": "recommended",
      "caption": "Unique ID",
      "type": "string_t"
    },
    "uid_alt": {
      "description": "An alternate unique identifier of the device if any. For example the ActiveDirectory DN.",
      "caption": "Alternate ID",
      "type": "string_t"
    },
    "$include": [
      "profiles/container.json"
    ],
    "agent_list": {
      "requirement": "optional",
      "caption": "Agent List",
      "description": "A list of <code>agent</code> objects associated with a device, endpoint, or resource.",
      "is_array": true,
      "type": "agent"
    },
    "hw_info": {
      "requirement": "optional",
      "caption": "Hardware Info",
      "description": "The endpoint hardware information.",
      "type": "device_hw_info"
    },
    "instance_uid": {
      "requirement": "recommended",
      "caption": "Instance ID",
      "description": "The unique identifier of a VM instance.",
      "type": "string_t"
    },
    "interface_name": {
      "requirement": "recommended",
      "caption": "Network Interface Name",
      "description": "The name of the network interface (e.g. eth2).",
      "type": "string_t"
    },
    "interface_uid": {
      "requirement": "recommended",
      "caption": "Network Interface ID",
      "description": "The unique identifier of the network interface.",
      "type": "string_t"
    },
    "mac": {
      "description": "The Media Access Control (MAC) address of the endpoint.",
      "requirement": "optional",
      "caption": "MAC Address",
      "type": "mac_t"
    },
    "os": {
      "description": "The endpoint operating system.",
      "requirement": "optional",
      "caption": "OS",
      "type": "os"
    },
    "owner": {
      "description": "The identity of the service or user account that owns the endpoint or was last logged into it.",
      "requirement": "recommended",
      "caption": "Owner",
      "type": "user"
    },
    "subnet_uid": {
      "requirement": "optional",
      "caption": "Subnet UID",
      "description": "The unique identifier of a virtual subnet.",
      "type": "string_t"
    },
    "vlan_uid": {
      "requirement": "optional",
      "caption": "VLAN",
      "description": "The Virtual LAN identifier.",
      "type": "string_t"
    },
    "vpc_uid": {
      "requirement": "optional",
      "caption": "VPC UID",
      "description": "The unique identifier of the Virtual Private Cloud (VPC).",
      "type": "string_t"
    },
    "zone": {
      "requirement": "optional",
      "caption": "Network Zone",
      "description": "The network zone or LAN segment.",
      "type": "string_t"
    },
    "container": {
      "group": "context",
      "requirement": "recommended",
      "caption": "Container",
      "description": "The information describing an instance of a container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd.",
      "type": "container"
    },
    "namespace_pid": {
      "group": "context",
      "requirement": "recommended",
      "caption": "Namespace PID",
      "description": "If running under a process namespace (such as in a container), the process identifier within that process namespace.",
      "type": "integer_t"
    },
    "raw_data": {
      "group": "context",
      "caption": "Raw Data",
      "description": "The event data as received from the event source.",
      "type": "json_t"
    },
    "record_id": {
      "description": "Unique identifier for the object",
      "group": "primary",
      "requirement": "required",
      "caption": "Record ID",
      "type": "string_t"
    },
    "unmapped": {
      "caption": "Unmapped Data",
      "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.",
      "type": "unmapped",
      "is_array": true
    },
    "reputation": {
      "requirement": "optional",
      "caption": "Reputation Scores",
      "description": "Contains the original and normalized reputation scores.",
      "type": "reputation",
      "@deprecated": {
        "since": "1.1.0",
        "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
      }
    },
    "org_unit": {
      "requirement": "optional",
      "caption": "Org Unit",
      "description": "The name of the organization to which the user belongs.",
      "type": "string_t",
      "@deprecated": {
        "since": "1.1.0",
        "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
      }
    }
  },
  "observable": 20,
  "profiles": [
    "container"
  ],
  "constraints": {
    "at_least_one": [
      "ip",
      "uid",
      "name",
      "hostname",
      "instance_uid",
      "interface_uid",
      "interface_name"
    ]
  }
}