Network Endpoint
network_endpoint
The network endpoint object describes source or destination of a network connection.
Contents
Attributes
Caption | Name | Type | Is Array | Default | Description |
---|---|---|---|---|---|
Agent List | agent_list | Agent |
A list of agent objects associated with a device, endpoint, or resource.
|
||
Autonomous System | autonomous_system | Autonomous System | The Autonomous System details associated with an IP address. | ||
Container | container | Container | The information describing an instance of a container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd. | ||
Domain | domain | String | The name of the domain. | ||
Hostname | hostname | Hostname | The fully qualified name of the endpoint. | ||
Hardware Info | hw_info | Device Hardware Info | The endpoint hardware information. | ||
Instance ID | instance_uid | String | The unique identifier of a VM instance. | ||
Network Interface Name | interface_name | String | The name of the network interface (e.g. eth2). | ||
Network Interface ID | interface_uid | String | The unique identifier of the network interface. | ||
Intermediate IP Addresses | intermediate_ips | IP Address | The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. | ||
IP Address | ip | IP Address | The IP address of the endpoint, in either IPv4 or IPv6 format. | ||
IP Intelligence | ip_intelligence | IP Threat Intelligence | Insights from threat intelligence platforms about IP Address | ||
Geo Location | location | Geo Location | The geographical location of the endpoint. | ||
MAC Address | mac | MAC Address | The Media Access Control (MAC) address of the endpoint. | ||
Name | name | String | The short name of the endpoint. | ||
Namespace PID | namespace_pid | Integer | If running under a process namespace (such as in a container), the process identifier within that process namespace. | ||
OS | os | Operating System (OS) | The endpoint operating system. | ||
Owner | owner | User | The identity of the service or user account that owns the endpoint or was last logged into it. | ||
Port | port | Port | The port used for communication within the network connection. | ||
Proxy Endpoint | proxy_endpoint | Network Proxy Endpoint | The network proxy information pertaining to a specific endpoint. This can be used to describe information pertaining to network address translation (NAT). | ||
Raw Data | raw_data | JSON | The event data as received from the event source. | ||
Record ID | record_id | String | Unique identifier for the object | ||
Reputation Scores | reputation | Reputation |
Contains the original and normalized reputation scores.
Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 |
||
Subnet UID | subnet_uid | String | The unique identifier of a virtual subnet. | ||
Service Name | svc_name | String | The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. | ||
Type | type | String |
The network endpoint type. For example: unknown , server , desktop , laptop , tablet , mobile , virtual , browser , or other .
|
||
Type ID | type_id | Integer |
The network endpoint type ID.
|
||
Unique ID | uid | String | The unique identifier of the endpoint. | ||
Unmapped Data | unmapped | Unmapped | The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source. | ||
VLAN | vlan_uid | String | The Virtual LAN identifier. | ||
VPC UID | vpc_uid | String | The unique identifier of the Virtual Private Cloud (VPC). | ||
Network Zone | zone | String | The network zone or LAN segment. |
References
Referenced By
- Data Security Finding
- Data Security Finding
- Entity Management
- Authentication
- Authentication
- Authorize Session
- Authorize Session
- User Access Management
- Account Change
- Identity & Access Management
- Group Management
- Event Log Activity
- Event Log Activity
- Web Resources Activity
- Web Resources Activity
- Web Resource Access Activity
- API Activity
- API Activity
- Datastore Activity
- Datastore Activity
- File Hosting Activity
- File Hosting Activity
- Network File Activity
- Network File Activity
- Tunnel Activity
- Tunnel Activity
- RDP Activity
- RDP Activity
- HTTP Activity
- HTTP Activity
- Network Activity
- Network Activity
- DHCP Activity
- DHCP Activity
- FTP Activity
- FTP Activity
- SSH Activity
- SSH Activity
- SMB Activity
- SMB Activity
- DNS Activity
- DNS Activity
- Email Activity
- Email Activity
- NTP Activity
- NTP Activity
- Network
- Network
- Windows Evidence Artifacts
- Windows Evidence Artifacts
- Load Balancer
- Endpoint Connection
Context
JSON
{
"caption": "Network Endpoint",
"description": "The network endpoint object describes source or destination of a network connection.",
"extends": [
null,
"network_endpoint"
],
"name": "network_endpoint",
"attributes": {
"autonomous_system": {
"requirement": "optional",
"caption": "Autonomous System",
"description": "The Autonomous System details associated with an IP address.",
"type": "autonomous_system"
},
"intermediate_ips": {
"requirement": "optional",
"caption": "Intermediate IP Addresses",
"description": "The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header.",
"type": "ip_t",
"is_array": true
},
"proxy_endpoint": {
"description": "The network proxy information pertaining to a specific endpoint. This can be used to describe information pertaining to network address translation (NAT).",
"requirement": "optional",
"caption": "Proxy Endpoint",
"type": "network_proxy"
},
"port": {
"description": "The port used for communication within the network connection.",
"requirement": "recommended",
"caption": "Port",
"type": "port_t"
},
"svc_name": {
"requirement": "recommended",
"caption": "Service Name",
"description": "The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service.",
"type": "string_t"
},
"type": {
"description": "The network endpoint type. For example: <code>unknown</code>, <code>server</code>, <code>desktop</code>, <code>laptop</code>, <code>tablet</code>, <code>mobile</code>, <code>virtual</code>, <code>browser</code>, or <code>other</code>.",
"caption": "Type",
"requirement": "optional",
"type": "string_t"
},
"type_id": {
"description": "The network endpoint type ID.",
"caption": "Type ID",
"enum": {
"1": {
"caption": "Server",
"description": "A <a target='_blank' href='https://d3fend.mitre.org/dao/artifact/d3f:Server/'>server</a>."
},
"2": {
"caption": "Desktop",
"description": "A <a target='_blank' href='https://d3fend.mitre.org/dao/artifact/d3f:DesktopComputer/'>desktop computer</a>."
},
"3": {
"caption": "Laptop",
"description": "A <a target='_blank' href='https://d3fend.mitre.org/dao/artifact/d3f:LaptopComputer/'>laptop computer</a>."
},
"4": {
"caption": "Tablet",
"description": "A <a target='_blank' href='https://d3fend.mitre.org/dao/artifact/d3f:TabletComputer/'>tablet computer</a>."
},
"5": {
"caption": "Mobile",
"description": "A <a target='_blank' href='https://d3fend.mitre.org/dao/artifact/d3f:MobilePhone/'>mobile phone</a>."
},
"6": {
"caption": "Virtual",
"description": "A <a target='_blank' href='https://d3fend.mitre.org/dao/artifact/d3f:VirtualizationSoftware/'>virtual machine</a>."
},
"7": {
"caption": "IOT",
"description": "A <a target='_blank' href='https://www.techtarget.com/iotagenda/definition/IoT-device'>IOT (Internet of Things) device</a>."
},
"8": {
"caption": "Browser",
"description": "A <a target='_blank' href='https://d3fend.mitre.org/dao/artifact/d3f:Browser/'>web browser</a>."
},
"9": {
"caption": "Firewall",
"description": "A <a target='_blank' href='https://d3fend.mitre.org/dao/artifact/d3f:Firewall/'>networking firewall</a>."
},
"10": {
"caption": "Switch",
"description": "A <a target='_blank' href='https://d3fend.mitre.org/dao/artifact/d3f:Switch/'>networking switch</a>."
},
"11": {
"caption": "Hub",
"description": "A <a target='_blank' href='https://en.wikipedia.org/wiki/Ethernet_hub'>networking hub</a>."
},
"12": {
"caption": "Router",
"description": "A <a target='_blank' href='https://d3fend.mitre.org/dao/artifact/d3f:Router/'>networking router</a>."
},
"13": {
"caption": "IDS",
"description": "An <a target='_blank' href='https://d3fend.mitre.org/dao/artifact/d3f:IntrusionDetectionSystem/'>intrusion detection system</a>."
},
"14": {
"caption": "IPS",
"description": "An <a target='_blank' href='https://d3fend.mitre.org/dao/artifact/d3f:IntrusionPreventionSystem/'>intrusion prevention system</a>."
},
"15": {
"caption": "Load Balancer",
"description": "A <a target='_blank' href='https://en.wikipedia.org/wiki/Load_balancing_(computing)'> Load Balancer device."
},
"0": {
"caption": "Unknown",
"description": "The type is unknown."
},
"99": {
"caption": "Other",
"description": "The type is not mapped. See the <code>type</code> attribute, which contains a data source specific value."
}
},
"requirement": "recommended",
"sibling": "type",
"type": "integer_t"
},
"$include": [
"profiles/container.json"
],
"agent_list": {
"requirement": "optional",
"caption": "Agent List",
"description": "A list of <code>agent</code> objects associated with a device, endpoint, or resource.",
"type": "agent",
"is_array": true
},
"domain": {
"requirement": "optional",
"caption": "Domain",
"description": "The name of the domain.",
"type": "string_t"
},
"hostname": {
"description": "The fully qualified name of the endpoint.",
"requirement": "recommended",
"caption": "Hostname",
"type": "hostname_t"
},
"hw_info": {
"requirement": "optional",
"caption": "Hardware Info",
"description": "The endpoint hardware information.",
"type": "device_hw_info"
},
"instance_uid": {
"requirement": "recommended",
"caption": "Instance ID",
"description": "The unique identifier of a VM instance.",
"type": "string_t"
},
"interface_name": {
"requirement": "recommended",
"caption": "Network Interface Name",
"description": "The name of the network interface (e.g. eth2).",
"type": "string_t"
},
"interface_uid": {
"requirement": "recommended",
"caption": "Network Interface ID",
"description": "The unique identifier of the network interface.",
"type": "string_t"
},
"ip": {
"description": "The IP address of the endpoint, in either IPv4 or IPv6 format.",
"requirement": "recommended",
"caption": "IP Address",
"type": "ip_t"
},
"location": {
"description": "The geographical location of the endpoint.",
"requirement": "optional",
"caption": "Geo Location",
"type": "location"
},
"mac": {
"description": "The Media Access Control (MAC) address of the endpoint.",
"requirement": "optional",
"caption": "MAC Address",
"type": "mac_t"
},
"name": {
"description": "The short name of the endpoint.",
"requirement": "recommended",
"caption": "Name",
"type": "string_t"
},
"os": {
"description": "The endpoint operating system.",
"requirement": "optional",
"caption": "OS",
"type": "os"
},
"owner": {
"description": "The identity of the service or user account that owns the endpoint or was last logged into it.",
"requirement": "recommended",
"caption": "Owner",
"type": "user"
},
"subnet_uid": {
"requirement": "optional",
"caption": "Subnet UID",
"description": "The unique identifier of a virtual subnet.",
"type": "string_t"
},
"uid": {
"description": "The unique identifier of the endpoint.",
"requirement": "recommended",
"caption": "Unique ID",
"type": "string_t"
},
"vlan_uid": {
"requirement": "optional",
"caption": "VLAN",
"description": "The Virtual LAN identifier.",
"type": "string_t"
},
"vpc_uid": {
"requirement": "optional",
"caption": "VPC UID",
"description": "The unique identifier of the Virtual Private Cloud (VPC).",
"type": "string_t"
},
"zone": {
"requirement": "optional",
"caption": "Network Zone",
"description": "The network zone or LAN segment.",
"type": "string_t"
},
"container": {
"group": "context",
"requirement": "recommended",
"caption": "Container",
"description": "The information describing an instance of a container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd.",
"type": "container"
},
"namespace_pid": {
"group": "context",
"requirement": "recommended",
"caption": "Namespace PID",
"description": "If running under a process namespace (such as in a container), the process identifier within that process namespace.",
"type": "integer_t"
},
"raw_data": {
"group": "context",
"caption": "Raw Data",
"description": "The event data as received from the event source.",
"type": "json_t"
},
"record_id": {
"description": "Unique identifier for the object",
"group": "primary",
"requirement": "required",
"caption": "Record ID",
"type": "string_t"
},
"unmapped": {
"caption": "Unmapped Data",
"description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.",
"type": "unmapped",
"is_array": true
},
"reputation": {
"requirement": "optional",
"caption": "Reputation Scores",
"description": "Contains the original and normalized reputation scores.",
"type": "reputation",
"@deprecated": {
"since": "1.1.0",
"message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
}
},
"ip_intelligence": {
"requirement": "optional",
"caption": "IP Intelligence",
"description": "Insights from threat intelligence platforms about IP Address",
"type": "ip_intelligence"
}
},
"constraints": {
"at_least_one": [
"ip",
"uid",
"name",
"hostname",
"svc_name",
"instance_uid",
"interface_uid",
"interface_name"
]
},
"profiles": [
"container"
]
}