# Create Device Creates a Device object in the token-linked Integration. Operation ID: assets_create_asset Endpoint: POST /v1/assets/devices Security: BearerAuth ## Request fields (application/json): - `device` (object, required) Device Inventory Info events report device inventory data that is either logged or proactively collected. For example, when collecting device information from a CMDB or running a network sweep of connected devices. - `device.activity_id` (integer, required) ActivityId is an enum, and the following values are allowed. 0 - Unknown: The event activity is unknown. 1 - Log: The discovered information is via a log. 2 - Collect: The discovered information is via a collection process. 99 - Other: The event activity is not mapped. See the activity_name attribute, which contains a data source specific value. - `device.category_uid` (integer, required) CategoryUid is an enum, and the following values are allowed. 5 - Discovery: Discovery events report the existence and state of devices, files, configurations, processes, registry keys, and other objects. - `device.class_uid` (integer, required) ClassUid is an enum, and the following values are allowed. 5001 - DeviceInventoryInfo: Device Inventory Info events report device inventory data that is either logged or proactively collected. For example, when collecting device information from a CMDB or running a network sweep of connected devices. - `device.device` (object, required) The Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network. Defined by D3FEND d3f:Host. - `device.device.type_id` (integer, required) DeviceTypeId is an enum, and the following values are allowed. 0 - Unknown: The type is unknown. 1 - Server: A server. 2 - Desktop: A desktop computer. 3 - Laptop: A laptop computer. 4 - Tablet: A tablet computer. 5 - Mobile: A mobile phone. 6 - Virtual: A virtual machine. 7 - IOT: An IOT (Internet of Things) device. 8 - Browser: A web browser. 9 - Firewall: A networking firewall. 10 - Switch: A networking switch. 11 - Hub: A networking hub. 12 - Router: A networking router. 13 - IDS: An intrusion detection system. 14 - IPS: An intrusion prevention system. 15 - LoadBalancer: A Load Balancer device. 89 - ImagingEquipment: Equipment for processing optical data, such as a camera. 90 - PLC: A Programmable logic controller. 91 - SCADA: A supervisory control and data acquisition system. 92 - DCS: A distributed control system. 93 - CNC: A computer numerical control system, including computerized machine tools. 94 - ScientificEquipment: A piece of scientific equipment such as an oscilloscope or spectrometer. 95 - MedicalDevice: A medical device such as an MRI machine or infusion pump. 96 - LightingControls: A lighting control for internal or external applications. 97 - EnergyMonitoringSystem: An energy monitoring, security or safety system. 98 - TransportationDevice: A transportation device or transportation supporting device. 99 - Other: The type is not mapped. See the type attribute, which contains a data source specific value. - `device.device.agent_list` (array,null) A list of agent objects associated with a device, endpoint, or resource. - `device.device.agent_list.name` (string,null) The name of the agent or sensor. For example: AWS SSM Agent. - `device.device.agent_list.type` (string,null) The normalized caption of the type_id value for the agent or sensor. In the case of 'Other' or 'Unknown', it is defined by the event source. - `device.device.agent_list.type_id` (integer) AgentTypeId is an enum, and the following values are allowed. 0 - Unknown: The type is unknown. 1 - EndpointDetectionandResponse: Any EDR sensor or agent. Or any tool that provides similar threat detection, anti-malware, anti-ransomware, or similar capabilities. E.g., Crowdstrike Falcon, Microsoft Defender for Endpoint, Wazuh. 2 - DataLossPrevention: Any DLP sensor or agent. Or any tool that provides similar data classification, data loss detection, and/or data loss prevention capabilities. E.g., Forcepoint DLP, Microsoft Purview, Symantec DLP. 3 - Recovery: Any agent or sensor that provides backups, archival, or recovery capabilities. E.g., Azure Backup, AWS Backint Agent. 4 - Observability: Any agent or sensor that provides Application Performance Monitoring (APM), active tracing, profiling, or other observability use cases and optionally forwards the logs. E.g., New Relic Agent, Datadog Agent, Azure Monitor Agent. 5 - VulnerabilityManagement: Any agent or sensor that provides vulnerability management or scanning capabilities. E.g., Qualys VMDR, Microsoft Defender for Endpoint, Crowdstrike Spotlight, Amazon Inspector Agent. 6 - LogForwarding: Any agent or sensor that forwards logs to a 3rd party storage system such as a data lake or SIEM. E.g., Splunk Universal Forwarder, Tenzir, FluentBit, Amazon CloudWatch Agent, Amazon Kinesis Agent. 7 - MobileDeviceManagement: Any agent or sensor responsible for providing Mobile Device Management (MDM) or Mobile Enterprise Management (MEM) capabilities. E.g., JumpCloud Agent, Esper Agent, Jamf Pro binary. 8 - ConfigurationManagement: Any agent or sensor that provides configuration management of a device, such as scanning for software, license management, or applying configurations. E.g., AWS Systems Manager Agent, Flexera, ServiceNow MID Server. 9 - RemoteAccess: Any agent or sensor that provides remote access capabilities to a device. E.g., BeyondTrust, Amazon Systems Manager Agent, Verkada Agent. 99 - Other: The type is not mapped. See the type attribute, which contains a data source specific value. - `device.device.agent_list.uid` (string,null) The UID of the agent or sensor, sometimes known as a Sensor ID or aid. - `device.device.agent_list.uid_alt` (string,null) An alternative or contextual identifier for the agent or sensor, such as a configuration, organization, or license UID. - `device.device.agent_list.vendor_name` (string,null) The company or author who created the agent or sensor. For example: Crowdstrike. - `device.device.agent_list.version` (string,null) The semantic version of the agent or sensor, e.g., 7.101.50.0. - `device.device.autoscale_uid` (string,null) The unique identifier of the cloud autoscale configuration. - `device.device.boot_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901. - `device.device.boot_time_dt` (string,null) The time the system was booted. - `device.device.container` (object) The Container object describes an instance of a specific container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd. - `device.device.container.hash` (object) The Fingerprint object provides detailed information about a digital fingerprint, which is a compact representation of data used to identify a longer piece of information, such as a public key or file content. It contains the algorithm and value of the fingerprint, enabling efficient and reliable identification of the associated data. - `device.device.container.hash.algorithm_id` (integer, required) FingerprintAlgorithmId is an enum, and the following values are allowed. 0 - Unknown: The algorithm is unknown. 1 - MD5: MD5 message-digest algorithm producing a 128-bit (16-byte) hash value. 2 - 1: Secure Hash Algorithm 1 producing a 160-bit (20-byte) hash value. 3 - 256: Secure Hash Algorithm 2 producing a 256-bit (32-byte) hash value. 4 - 512: Secure Hash Algorithm 2 producing a 512-bit (64-byte) hash value. 5 - CTPH: The ssdeep generated fuzzy checksum. Also known as Context Triggered Piecewise Hash (CTPH). 6 - TLSH: The TLSH fuzzy hashing algorithm. 7 - quickXorHash: Microsoft simple non-cryptographic hash algorithm that works by XORing the bytes in a circular-shifting fashion. 99 - Other: The algorithm is not mapped. See the algorithm attribute, which contains a data source specific value. - `device.device.container.hash.value` (string, required) Hash. A unique value that corresponds to the content of the file, image, ja3_hash or hassh found in the schema. For example MD5: 3172ac7e2b55cbb81f04a6e65855a628. - `device.device.container.hash.algorithm` (string,null) The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - `device.device.container.image` (object) The Image object provides a description of a specific Virtual Machine (VM) or Container image. Defined by D3FEND d3f:ContainerImage. - `device.device.container.image.uid` (string, required) The unique image ID. For example: 77af4d6b9913. - `device.device.container.image.labels` (array,null) The image labels. - `device.device.container.image.name` (string,null) The image name. For example: elixir. - `device.device.container.image.path` (string,null) The full path to the image file. - `device.device.container.image.tag` (string,null) The image tag. For example: 1.11-alpine. - `device.device.container.name` (string,null) The container name. - `device.device.container.network_driver` (string,null) The network driver used by the container. For example, bridge, overlay, host, none, etc. - `device.device.container.orchestrator` (string,null) The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. - `device.device.container.pod_uuid` (string,null) The unique identifier of the pod (or equivalent) that the container is executing on. - `device.device.container.runtime` (string,null) The backend running the container, such as containerd or cri-o. - `device.device.container.size` (integer,null) The size of the container image. - `device.device.container.tag` (string,null) The tag used by the container. It can indicate version, format, OS. - `device.device.container.uid` (string,null) The full container unique identifier for this instantiation of the container. For example: ac2ea168264a08f9aaca0dfc82ff3551418dfd22d02b713142a6843caa2f61bf. - `device.device.created_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901. - `device.device.created_time_dt` (string,null) The time when the device was known to have been created. - `device.device.desc` (string,null) The description of the device, ordinarily as reported by the operating system. - `device.device.domain` (string,null) The network domain where the device resides. For example: work.example.com. - `device.device.first_seen_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901. - `device.device.first_seen_time_dt` (string,null) The initial discovery time of the device. - `device.device.groups` (array,null) The group names to which the device belongs. For example: ["Windows Laptops", "Engineering"]. - `device.device.groups.desc` (string,null) The group description. - `device.device.groups.domain` (string,null) The domain where the group is defined. For example: the LDAP or Active Directory domain. - `device.device.groups.name` (string,null) The group name. - `device.device.groups.privileges` (array,null) The group privileges. - `device.device.groups.type` (string,null) The type of the group or account. - `device.device.groups.uid` (string,null) The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - `device.device.hostname` (string) Unique name assigned to a device connected to a computer network. A domain name in general is an Internet address that can be resolved through the Domain Name System (DNS). For example: r2-d2.example.com. - `device.device.hw_info` (object) The Device Hardware Information object contains details and specifications of the physical components that make up a device. This information provides an overview of the hardware capabilities, configuration, and characteristics of the device. - `device.device.hw_info.bios_date` (string,null) The BIOS date. For example: 03/31/16. - `device.device.hw_info.bios_manufacturer` (string,null) The BIOS manufacturer. For example: LENOVO. - `device.device.hw_info.bios_uid` (string,null) The BIOS UUID. - `device.device.hw_info.bios_ver` (string,null) The BIOS version. For example: LENOVO G5ETA2WW (2.62). - `device.device.hw_info.chassis` (string,null) The chassis type describes the system enclosure or physical form factor. Such as the following examples for Windows Windows Chassis Types - `device.device.hw_info.cpu_bits` (integer,null) The cpu architecture, the number of bits used for addressing in memory. For example: 32 or 64. - `device.device.hw_info.cpu_cores` (integer,null) The number of processor cores in all installed processors. For Example: 42. - `device.device.hw_info.cpu_count` (integer,null) The number of physical processors on a system. For example: 1. - `device.device.hw_info.cpu_speed` (integer,null) The speed of the processor in Mhz. For Example: 4200. - `device.device.hw_info.cpu_type` (string,null) The processor type. For example: x86 Family 6 Model 37 Stepping 5. - `device.device.hw_info.desktop_display` (object) The Display object contains information about the physical or virtual display connected to a computer system. - `device.device.hw_info.desktop_display.color_depth` (integer,null) The numeric color depth. - `device.device.hw_info.desktop_display.physical_height` (integer,null) The numeric physical height of display. - `device.device.hw_info.desktop_display.physical_orientation` (integer,null) The numeric physical orientation of display. - `device.device.hw_info.desktop_display.physical_width` (integer,null) The numeric physical width of display. - `device.device.hw_info.desktop_display.scale_factor` (integer,null) The numeric scale factor of display. - `device.device.hw_info.keyboard_info` (object) The Keyboard Information object contains details and attributes related to a computer or device keyboard. It encompasses information that describes the characteristics, capabilities, and configuration of the keyboard. - `device.device.hw_info.keyboard_info.function_keys` (integer,null) The number of function keys on client keyboard. - `device.device.hw_info.keyboard_info.ime` (string,null) The Input Method Editor (IME) file name. - `device.device.hw_info.keyboard_info.keyboard_layout` (string,null) The keyboard locale identifier name (e.g., en-US). - `device.device.hw_info.keyboard_info.keyboard_subtype` (integer,null) The keyboard numeric code. - `device.device.hw_info.keyboard_info.keyboard_type` (string,null) The keyboard type (e.g., xt, ico). - `device.device.hw_info.ram_size` (integer,null) The total amount of installed RAM, in Megabytes. For example: 2048. - `device.device.hw_info.serial_number` (string,null) The device manufacturer serial number. - `device.device.hypervisor` (string,null) The name of the hypervisor running on the device. For example, Xen, VMware, Hyper-V, VirtualBox, etc. - `device.device.image` (object) The Image object provides a description of a specific Virtual Machine (VM) or Container image. Defined by D3FEND d3f:ContainerImage. - `device.device.imei` (string,null) The International Mobile Station Equipment Identifier that is associated with the device. - `device.device.instance_uid` (string,null) The unique identifier of a VM instance. - `device.device.interface_name` (string,null) The name of the network interface (e.g. eth2). - `device.device.interface_uid` (string,null) The unique identifier of the network interface. - `device.device.ip` (string) Internet Protocol address (IP address), in either IPv4 or IPv6 format. For example, 192.168.200.24 or 2001:0db8:85a3:0000:0000:8a2e:0370:7334. - `device.device.ip_addresses` (array,null) A list of IP addresses available on the device - `device.device.is_compliant` (boolean,null) The event occurred on a compliant device. - `device.device.is_managed` (boolean,null) The event occurred on a managed device. - `device.device.is_personal` (boolean,null) The event occurred on a personal device. - `device.device.is_trusted` (boolean,null) The event occurred on a trusted device. - `device.device.last_seen_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901. - `device.device.last_seen_time_dt` (string,null) The most recent discovery time of the device. - `device.device.location` (object) The Geo Location object describes a geographical location, usually associated with an IP address. Defined by D3FEND d3f:PhysicalLocation. - `device.device.location.city` (string,null) The name of the city. - `device.device.location.continent` (string,null) The name of the continent. - `device.device.location.coordinates` (array,null) A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. For example: [-73.983, 40.719]. - `device.device.location.country` (string,null) The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes.Note: The two letter country code should be capitalized. For example: US or CA. - `device.device.location.desc` (string,null) The description of the geographical location. - `device.device.location.geohash` (string,null) Geohash of the geo-coordinates (latitude and longitude).Geohashing is a geocoding system used to encode geographic coordinates in decimal degrees, to a single string. - `device.device.location.is_on_premises` (boolean,null) The indication of whether the location is on premises. - `device.device.location.isp` (string,null) The name of the Internet Service Provider (ISP). - `device.device.location.lat` (number,null) The geographical Latitude coordinate represented in Decimal Degrees (DD). For example: 42.361145. - `device.device.location.long` (number,null) The geographical Longitude coordinate represented in Decimal Degrees (DD). For example: -71.057083. - `device.device.location.postal_code` (string,null) The postal code of the location. - `device.device.location.provider` (string,null) The provider of the geographical location data. - `device.device.location.region` (string,null) The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. - `device.device.location.timezone` (string,null) Timezone string. This provides timezone information that may be present even when latitude and longitude are absent. - `device.device.mac` (string) Media Access Control (MAC) address. For example: 18:36:F3:98:4F:9A. - `device.device.mac_addresses` (array,null) A list of MAC addresses available on the device - `device.device.modified_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901. - `device.device.modified_time_dt` (string,null) The time when the device was last known to have been modified. - `device.device.name` (string,null) The alternate device name, ordinarily as assigned by an administrator. Note: The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234. - `device.device.namespace_pid` (integer,null) If running under a process namespace (such as in a container), the process identifier within that process namespace. - `device.device.netbios_names` (array,null) A list of NetBIOS names available on the device - `device.device.network_interfaces` (array,null) The network interfaces that are associated with the device, one for each unique MAC address/IP address/hostname/name combination.Note: The first element of the array is the network information that pertains to the event. - `device.device.network_interfaces.type_id` (integer, required) NetworkInterfaceTypeId is an enum, and the following values are allowed. 0 - Unknown: The type is unknown. 1 - Wired 2 - Wireless 3 - Mobile 4 - Tunnel 99 - Other: The type is not mapped. See the type attribute, which contains a data source specific value. - `device.device.network_interfaces.hostname` (string) Unique name assigned to a device connected to a computer network. A domain name in general is an Internet address that can be resolved through the Domain Name System (DNS). For example: r2-d2.example.com. - `device.device.network_interfaces.ip` (string) Internet Protocol address (IP address), in either IPv4 or IPv6 format. For example, 192.168.200.24 or 2001:0db8:85a3:0000:0000:8a2e:0370:7334. - `device.device.network_interfaces.ip_addresses` (array,null) A list of IP addresses available on the network interface. - `device.device.network_interfaces.mac` (string) Media Access Control (MAC) address. For example: 18:36:F3:98:4F:9A. - `device.device.network_interfaces.mac_addresses` (array,null) A list of MAC addresses available on the network interface. - `device.device.network_interfaces.name` (string,null) The name of the network interface. - `device.device.network_interfaces.namespace` (string,null) The namespace is useful in merger or acquisition situations. For example, when similar entities exist that you need to keep separate. - `device.device.network_interfaces.subnet_prefix` (integer,null) The subnet prefix length determines the number of bits used to represent the network part of the IP address. The remaining bits are reserved for identifying individual hosts within that subnet. - `device.device.network_interfaces.type` (string,null) The type of network interface. - `device.device.network_interfaces.uid` (string,null) The unique identifier for the network interface. - `device.device.network_status` (string,null) The network isolation status of the endpoint - `device.device.network_status_id` (integer) DeviceNetworkStatusId is an enum, and the following values are allowed. 1 - NotIsolated: Device is not isolated from the network. 2 - Isolated: Device is isolated from the network. 3 - PendingIsolation: Device is pending isolation from the network. 4 - PendingRestore: Device is pending restoration from isolation. 99 - Unknown: The network isolation status is unknown. - `device.device.org` (object) The Organization object describes characteristics of an organization or company and its division if any. - `device.device.org.name` (string,null) The name of the organization. For example, Widget, Inc. - `device.device.org.ou_name` (string,null) The name of the organizational unit, within an organization. For example, Finance, IT, R&D - `device.device.org.ou_uid` (string,null) The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - `device.device.org.uid` (string,null) The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - `device.device.os` (object) The Operating System (OS) object describes characteristics of an OS, such as Linux or Windows. Defined by D3FEND d3f:OperatingSystem. - `device.device.os.name` (string, required) The operating system name. - `device.device.os.type_id` (integer, required) OsTypeId is an enum, and the following values are allowed. 0 - Unknown: The type is unknown. 99 - Other: The type is not mapped. See the type attribute, which contains a data source specific value. 100 - Windows 101 - WindowsMobile 200 - Linux 201 - Android 300 - macOS 301 - iOS 302 - iPadOS 400 - Solaris 401 - AIX 402 - UX - `device.device.os.build` (string,null) The operating system build number. - `device.device.os.country` (string,null) The operating system country code, as defined by the ISO 3166-1 standard (Alpha-2 code). For the complete list of country codes, see ISO 3166-1 alpha-2 codes. - `device.device.os.cpe_name` (string,null) The Common Platform Enumeration (CPE) name as described by (NIST) For example: cpe:/a:apple:safari:16.2. - `device.device.os.cpu_bits` (integer,null) The cpu architecture, the number of bits used for addressing in memory. For example: 32 or 64. - `device.device.os.edition` (string,null) The operating system edition. For example: Professional. - `device.device.os.lang` (string,null) The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French). - `device.device.os.sp_name` (string,null) The name of the latest Service Pack. - `device.device.os.sp_ver` (integer,null) The version number of the latest Service Pack. - `device.device.os.type` (string,null) The type of the operating system. - `device.device.os.version` (string,null) The version of the OS running on the device that originated the event. For example: "Windows 10", "OS X 10.7", or "iOS 9". - `device.device.owner` (object) The User object describes the characteristics of a user/person or a security principal. Defined by D3FEND d3f:UserAccount. - `device.device.owner.account` (object) The Account object contains details about the account that initiated or performed a specific activity within a system or application. - `device.device.owner.account.labels` (array,null) The list of labels/tags associated to the account. - `device.device.owner.account.name` (string,null) The name of the account (e.g. GCP Account Name). - `device.device.owner.account.type` (string,null) The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - `device.device.owner.account.type_id` (integer) AccountTypeId is an enum, and the following values are allowed. 0 - Unknown: The account type is unknown. 1 - LDAPAccount 2 - WindowsAccount 3 - AWSIAMUser 4 - AWSIAMRole 5 - GCPAccount 6 - AzureADAccount 7 - MacOSAccount 8 - AppleAccount 9 - LinuxAccount 10 - AWSAccount 99 - Other: The account type is not mapped. - `device.device.owner.account.uid` (string,null) The unique identifier of the account (e.g. AWS Account ID). - `device.device.owner.credential_uid` (string,null) The unique identifier of the user's credential. For example, AWS Access Key ID. - `device.device.owner.domain` (string,null) The domain where the user is defined. For example: the LDAP or Active Directory domain. - `device.device.owner.email_addr` (string) Email address. For example: john_doe@example.com. - `device.device.owner.full_name` (string,null) The full name of the person, as per the LDAP Common Name attribute (cn). - `device.device.owner.groups` (array,null) The administrative groups to which the user belongs. - `device.device.owner.has_mfa` (boolean,null) The user has a multi-factor or secondary-factor device assigned. - `device.device.owner.ldap_person` (object) The additional LDAP attributes that describe a person. - `device.device.owner.ldap_person.cost_center` (string,null) The cost center associated with the user. - `device.device.owner.ldap_person.created_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901. - `device.device.owner.ldap_person.created_time_dt` (string,null) The timestamp when the user was created. - `device.device.owner.ldap_person.deleted_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901. - `device.device.owner.ldap_person.deleted_time_dt` (string,null) The timestamp when the user was deleted. In Active Directory (AD), when a user is deleted they are moved to a temporary container and then removed after 30 days. So, this field can be populated even after a user is deleted for the next 30 days. - `device.device.owner.ldap_person.eligible_for_rehire` (boolean,null) Indicates whether the user is eligible for rehire. This typically applies to terminated or retired employees. - `device.device.owner.ldap_person.email_addrs` (array,null) A list of additional email addresses for the user. - `device.device.owner.ldap_person.employee_uid` (string,null) The employee identifier assigned to the user by the organization. - `device.device.owner.ldap_person.employment_status` (string,null) The employment status, normalized to the caption of the employment_status_id value. In the case of 'Other', it is defined by the data source. - `device.device.owner.ldap_person.employment_status_date` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901. - `device.device.owner.ldap_person.employment_status_date_dt` (string,null) The timestamp when the employment status was last changed. - `device.device.owner.ldap_person.employment_status_id` (integer) LdapPersonEmploymentStatusId is an enum, and the following values are allowed. 0 - Unknown: The employment status is unknown. 1 - Applicant: The user is a job applicant or candidate who has not yet been hired. 2 - Active: The user is currently employed and actively working. 3 - Terminated: The user's employment has been terminated. 4 - Retired: The user has retired from the organization. 99 - Other: The employment status is not mapped. See the employment_status attribute, which contains a data source specific value. - `device.device.owner.ldap_person.given_name` (string,null) The given or first name of the user. - `device.device.owner.ldap_person.hire_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901. - `device.device.owner.ldap_person.hire_time_dt` (string,null) The timestamp when the user was or will be hired by the organization. - `device.device.owner.ldap_person.job_title` (string,null) The user's job title. - `device.device.owner.ldap_person.labels` (array,null) The labels associated with the user. For example in AD this could be the userType, employeeType. For example: Member, Employee. - `device.device.owner.ldap_person.last_login_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901. - `device.device.owner.ldap_person.last_login_time_dt` (string,null) The last time when the user logged in. - `device.device.owner.ldap_person.ldap_cn` (string,null) The LDAP and X.500 commonName attribute, typically the full name of the person. For example, John Doe. - `device.device.owner.ldap_person.ldap_dn` (string,null) The X.500 Distinguished Name (DN) is a structured string that uniquely identifies an entry, such as a user, in an X.500 directory service For example, cn=John Doe,ou=People,dc=example,dc=com. - `device.device.owner.ldap_person.leave_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901. - `device.device.owner.ldap_person.leave_time_dt` (string,null) The timestamp when the user left or will be leaving the organization. - `device.device.owner.ldap_person.location` (object) The Geo Location object describes a geographical location, usually associated with an IP address. Defined by D3FEND d3f:PhysicalLocation. - `device.device.owner.ldap_person.manager` (object) An unordered collection of attributes. It defines a set of attributes available in all objects. It can be also used as a generic object to log objects that are not otherwise defined by the schema. - `device.device.owner.ldap_person.modified_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901. - `device.device.owner.ldap_person.modified_time_dt` (string,null) The timestamp when the user entry was last modified. - `device.device.owner.ldap_person.office_location` (string,null) The primary office location associated with the user. This could be any string and isn't a specific address. For example, South East Virtual. - `device.device.owner.ldap_person.position_start_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901. - `device.device.owner.ldap_person.position_start_time_dt` (string,null) The date the user first started work in their current position. For employees who have not changed positions, this equals the hire date. For employees who have transferred or been promoted, this reflects when they entered their current role. - `device.device.owner.ldap_person.regrettable_termination` (boolean,null) Indicates whether a termination is considered regrettable by the organization (i.e., loss of a valued employee). This is typically only populated for terminated employees. - `device.device.owner.ldap_person.reports` (array,null) The user's direct reports. This is the inverse of the manager relationship, representing users who report directly to this user in the organizational hierarchy. This field only includes immediate/direct reports, not transitive reports. - `device.device.owner.ldap_person.surname` (string,null) The last or family name for the user. - `device.device.owner.leave_events` (array,null) Leave of absence events associated with the person. May include current, past, and future leaves. - `device.device.owner.leave_events.desc` (string,null) The description that pertains to the object or event. See specific usage. - `device.device.owner.leave_events.leave_end_date` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901. - `device.device.owner.leave_events.leave_end_date_dt` (string,null) The date on which the leave of absence ends. - `device.device.owner.leave_events.leave_start_date` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901. - `device.device.owner.leave_events.leave_start_date_dt` (string,null) The date on which the leave of absence begins. - `device.device.owner.mfa_status` (string,null) The multi-factor authentication status, normalized to the caption of the mfa_status_id value. In the case of 'Other', it is defined by the data source. - `device.device.owner.mfa_status_id` (integer) UserMfaStatusId is an enum, and the following values are allowed. 0 - Unknown: The status is unknown. 1 - Enabled: Multi-factor authentication is enabled for this user. 2 - NotEnabled: TMulti-factor authentication is off for this user. 3 - Enforced: Multi-factor authentication is enabled and there is a policy that requires it for this user. 99 - Other: The event status is not mapped. See the user_status attribute, which contains a data source specific value. - `device.device.owner.name` (string) User name. For example: john_doe. - `device.device.owner.on_leave` (boolean,null) True if the person is currently on a leave of absence. - `device.device.owner.org` (object) The Organization object describes characteristics of an organization or company and its division if any. - `device.device.owner.privileges` (array,null) The user's privileges. - `device.device.owner.risk_level` (string,null) The risk level, normalized to the caption of the risk_level_id value. - `device.device.owner.risk_level_id` (integer) UserRiskLevelId is an enum, and the following values are allowed. 0 - Info 1 - Low 2 - Medium 3 - High 4 - Critical 99 - Other: The risk level is not mapped. See the risk_level attribute, which contains a data source specific value. - `device.device.owner.risk_score` (integer,null) The risk score as reported by the event source. - `device.device.owner.type` (string,null) The type of the user. For example, System, AWS IAM User, etc. - `device.device.owner.type_id` (integer) UserTypeId is an enum, and the following values are allowed. 0 - Unknown: The type is unknown. 1 - User: Regular user account. 2 - Admin: Admin/root user account. 3 - System: System account. For example, Windows computer accounts with a trailing dollar sign ($). 99 - Other: The type is not mapped. See the type attribute, which contains a data source specific value. - `device.device.owner.uid` (string,null) The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - `device.device.owner.uid_alt` (string,null) The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - `device.device.owner.user_status` (string,null) The user status, normalized to the caption of the user_status_id value. In the case of 'Other', it is defined by the data source. - `device.device.owner.user_status_id` (integer) UserUserStatusId is an enum, and the following values are allowed. 0 - Unknown: The status is unknown. 1 - Active: The user is active. 2 - Pending: The user is not active, pending either user or admin action. 3 - Locked: The user account is locked requiring either time or intervention to unlock. 4 - Suspended: The user account is suspended. 5 - Deprovisioned: The user account has been deprovisioned and is pending removal. 99 - Other: The event status is not mapped. See the user_status attribute, which contains a data source specific value. - `device.device.region` (string,null) The region where the virtual machine is located. For example, an AWS Region. - `device.device.risk_level` (string,null) The risk level, normalized to the caption of the risk_level_id value. - `device.device.risk_level_id` (integer) DeviceRiskLevelId is an enum, and the following values are allowed. 0 - Info 1 - Low 2 - Medium 3 - High 4 - Critical 99 - Other: The risk level is not mapped. See the risk_level attribute, which contains a data source specific value. - `device.device.risk_score` (integer,null) The risk score as reported by the event source. - `device.device.subnet` (string) The subnet represented in a CIDR notation, using the format network_address/prefix_length. The network_address can be in either IPv4 or IPv6 format. The prefix length indicates the number of bits used for the network portion, and the remaining bits are available for host addresses within that subnet. For example:192.168.1.0/242001:0db8:85a3:0000::/64 - `device.device.subnet_uid` (string,null) The unique identifier of a virtual subnet. - `device.device.sw_info` (array,null) The list of software contained on a device - `device.device.sw_info.cpe_name` (string,null) The Common Platform Enumeration (CPE) name as described by (NIST) For example: cpe:/a:apple:safari:16.2. - `device.device.sw_info.distribution_mode` (string,null) Indicates the source from which the app was installed, such as the app store. - `device.device.sw_info.feature` (object) The Feature object provides information about the software product feature that generated a specific event. It encompasses details related to the capabilities, components, user interface (UI) design, and performance upgrades associated with the feature. - `device.device.sw_info.feature.name` (string,null) The name of the feature. - `device.device.sw_info.feature.uid` (string,null) The unique identifier of the feature. - `device.device.sw_info.feature.version` (string,null) The version of the feature. - `device.device.sw_info.lang` (string,null) The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French). - `device.device.sw_info.name` (string,null) The name of the product. - `device.device.sw_info.path` (string,null) The installation path of the product. - `device.device.sw_info.uid` (string,null) The unique identifier of the product. - `device.device.sw_info.url_string` (string) Uniform Resource Locator (URL) string. For example: http://www.example.com/download/trouble.exe. - `device.device.sw_info.vendor_name` (string,null) The name of the vendor of the product. - `device.device.sw_info.version` (string,null) The version of the product, as defined by the event source. For example: 2013.1.3-beta. - `device.device.sw_info.workload` (string,null) The product workload associated with the event. - `device.device.type` (string,null) The device type. For example: unknown, server, desktop, laptop, tablet, mobile, virtual, browser, plc, scada, dcs, cnc, scientific, medical, lighting, energy, transportation other. - `device.device.uid` (string,null) The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN. - `device.device.uid_alt` (string,null) An alternate unique identifier of the device if any. For example the ActiveDirectory DN. - `device.device.vendor` (object) The Organization object describes characteristics of an organization or company and its division if any. - `device.device.vlan_uid` (string,null) The Virtual LAN identifier. - `device.device.vpc_uid` (string,null) The unique identifier of the Virtual Private Cloud (VPC). - `device.device.zone` (string,null) The network zone or LAN segment. - `device.metadata` (object, required) The Metadata object describes the metadata associated with the event. Defined by D3FEND d3f:Metadata. - `device.metadata.product` (object, required) The Product object describes characteristics of a software product. - `device.metadata.version` (string, required) The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes. - `device.metadata.correlation_uid` (string,null) The unique identifier used to correlate events. - `device.metadata.event_code` (string,null) The Event ID or Code that the product uses to describe the event. - `device.metadata.extension` (object) The OCSF Schema Extension object provides detailed information about the schema extension used to construct the event. The schema extensions are registered in the extensions.md file. - `device.metadata.extension.name` (string, required) The schema extension name. For example: dev. - `device.metadata.extension.uid` (string, required) The schema extension unique identifier. For example: 999. - `device.metadata.extension.version` (string, required) The schema extension version. For example: 1.0.0-alpha.2. - `device.metadata.extensions` (array,null) The schema extensions used to create the event. - `device.metadata.labels` (array,null) The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time.For example: ["network", "connection.ip:destination", "device.ip:source"] - `device.metadata.log_level` (string,null) The audit level at which an event was generated. - `device.metadata.log_name` (string,null) The event log name. For example, syslog file name or Windows logging subsystem: Security. - `device.metadata.log_provider` (string,null) The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing. - `device.metadata.log_version` (string,null) The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version. - `device.metadata.logged_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901. - `device.metadata.logged_time_dt` (string,null) The time when the logging system collected and logged the event.This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. - `device.metadata.loggers` (array,null) An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. Note, this attribute can be used when there is a complex end-to-end path of event flow. - `device.metadata.loggers.device` (object) The Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network. Defined by D3FEND d3f:Host. - `device.metadata.loggers.log_level` (string,null) The audit level at which an event was generated. - `device.metadata.loggers.log_name` (string,null) The event log name. For example, syslog file name or Windows logging subsystem: Security. - `device.metadata.loggers.log_provider` (string,null) The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing. - `device.metadata.loggers.log_version` (string,null) The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version. - `device.metadata.loggers.logged_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901. - `device.metadata.loggers.logged_time_dt` (string,null) The time when the logging system collected and logged the event.This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. - `device.metadata.loggers.name` (string,null) The name of the logging product instance. - `device.metadata.loggers.product` (object) The Product object describes characteristics of a software product. - `device.metadata.loggers.transmit_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901. - `device.metadata.loggers.transmit_time_dt` (string,null) The time when the event was transmitted from the logging device to it's next destination. - `device.metadata.loggers.uid` (string,null) The unique identifier of the logging product instance. - `device.metadata.loggers.version` (string,null) The version of the logging product. - `device.metadata.modified_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901. - `device.metadata.modified_time_dt` (string,null) The time when the event was last modified or enriched. - `device.metadata.original_time` (string,null) The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs. - `device.metadata.processed_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901. - `device.metadata.processed_time_dt` (string,null) The event processed time, such as an ETL operation. - `device.metadata.profiles` (array,null) The list of profiles used to create the event. Profiles should be referenced by their name attribute for core profiles, or extension/name for profiles from extensions. - `device.metadata.sequence` (integer,null) Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision. - `device.metadata.tenant_uid` (string,null) The unique tenant identifier. - `device.metadata.uid` (string,null) The logging system-assigned unique identifier of an event instance. - `device.severity_id` (integer, required) SeverityId is an enum, and the following values are allowed. 0 - Unknown: The event/finding severity is unknown. 1 - Informational: Informational message. No action required. 2 - Low: The user decides if action is needed. 3 - Medium: Action is required but the situation is not serious at this time. 4 - High: Action is required immediately. 5 - Critical: Action is required immediately and the scope is broad. 6 - Fatal: An error occurred but it is too late to take remedial action. 99 - Other: The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value. - `device.time` (integer, required) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901. - `device.type_uid` (integer, required) TypeUid is an enum, and the following values are allowed. 500100 - Unknown 500101 - Log: The discovered information is via a log. 500102 - Collect: The discovered information is via a collection process. 500199 - Other - `device.activity_name` (string,null) The event activity name, as defined by the activity_id. - `device.actor` (object) The Actor object contains details about the user, role, application, service, or process that initiated or performed a specific activity. - `device.actor.actor_type` (string,null) The actor type, normalized to the caption of the actor_type_id value. In the case of 'Other', it is defined by the data source. - `device.actor.actor_type_id` (integer) ActorActorTypeId is an enum, and the following values are allowed. 0 - Unknown: The actor type is unknown. 1 - Internal: Internal actor. 2 - Guest: Guest actor. 3 - Federated: Federated actor. 99 - Other: The actor type is not mapped. See the actor_type attribute, which contains a data source specific value. - `device.actor.app_name` (string,null) The client application or service that initiated the activity. This can be in conjunction with the user if present. Note that app_name is distinct from the process if present. - `device.actor.app_uid` (string,null) The unique identifier of the client application or service that initiated the activity. This can be in conjunction with the user if present. Note that app_name is distinct from the process.pid or process.uid if present. - `device.actor.authorizations` (array,null) Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event. - `device.actor.authorizations.decision` (string,null) Authorization Result/outcome, e.g. allowed, denied. - `device.actor.authorizations.policy` (object) The Policy object describes the policies that are applicable. Policy attributes provide traceability to the operational state of the security product at the time that the event was captured, facilitating forensics, troubleshooting, and policy tuning/adjustments. - `device.actor.authorizations.policy.desc` (string,null) The description of the policy. - `device.actor.authorizations.policy.group` (object) The Group object represents a collection or association of entities, such as users, policies, or devices. It serves as a logical grouping mechanism to organize and manage entities with similar characteristics or permissions within a system or organization. - `device.actor.authorizations.policy.is_applied` (boolean,null) A determination if the content of a policy was applied to a target or request, or not. - `device.actor.authorizations.policy.name` (string,null) The policy name. For example: IAM Policy. - `device.actor.authorizations.policy.uid` (string,null) A unique identifier of the policy instance. - `device.actor.authorizations.policy.version` (string,null) The policy version number. - `device.actor.groups` (array,null) Groups which are pertinent to the action. For example, the team name for Teams, where the user may not necessarily be a member of the group, but it is still relevant to the action taken. - `device.actor.idp` (object) The Identity Provider object contains detailed information about a provider responsible for creating, maintaining, and managing identity information while offering authentication services to applications. An Identity Provider (IdP) serves as a trusted authority that verifies the identity of users and issues authentication tokens or assertions to enable secure access to applications or services. - `device.actor.idp.name` (string,null) The name of the identity provider. - `device.actor.idp.uid` (string,null) The unique identifier of the identity provider. - `device.actor.invoked_by` (string,null) The name of the service that invoked the activity as described in the event. - `device.actor.process` (object) The Process object describes a running instance of a launched program. Defined by D3FEND d3f:Process. - `device.actor.process.auid` (integer,null) The audit user assigned at login by the audit subsystem. - `device.actor.process.cmd_line` (string,null) The full command line used to launch an application, service, process, or job. For example: ssh user@10.0.0.10. If the command line is unavailable or missing, the empty string '' is to be used. - `device.actor.process.container` (object) The Container object describes an instance of a specific container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd. - `device.actor.process.created_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901. - `device.actor.process.created_time_dt` (string,null) The time when the process was created/started. - `device.actor.process.egid` (integer,null) The effective group under which this process is running. - `device.actor.process.euid` (integer,null) The effective user under which this process is running. - `device.actor.process.file` (object) The File object represents the metadata associated with a file stored in a computer system. It encompasses information about the file itself, including its attributes, properties, and organizational details. Defined by D3FEND d3f:File. - `device.actor.process.file.name` (string, required) File name. For example: text-file.txt. - `device.actor.process.file.type_id` (integer, required) FileTypeId is an enum, and the following values are allowed. 0 - Unknown: The type is unknown. 1 - RegularFile 2 - Folder 3 - CharacterDevice 4 - BlockDevice 5 - LocalSocket 6 - NamedPipe 7 - SymbolicLink 99 - Other: The type is not mapped. See the type attribute, which contains a data source specific value. - `device.actor.process.file.accessed_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901. - `device.actor.process.file.accessed_time_dt` (string,null) The time when the file was last accessed. - `device.actor.process.file.accessor` (object) The User object describes the characteristics of a user/person or a security principal. Defined by D3FEND d3f:UserAccount. - `device.actor.process.file.accessor_app` (object) The Product object describes characteristics of a software product. - `device.actor.process.file.attributes` (integer,null) The bitmask value that represents the file attributes. - `device.actor.process.file.company_name` (string,null) The name of the company that published the file. For example: Microsoft Corporation. - `device.actor.process.file.confidentiality` (string,null) The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - `device.actor.process.file.confidentiality_id` (integer) FileConfidentialityId is an enum, and the following values are allowed. 0 - Unknown: The confidentiality is unknown. 1 - NotConfidential 2 - Confidential 3 - Secret 4 - TopSecret 5 - Private 6 - Restricted 99 - Other: The confidentiality is not mapped. See the confidentiality attribute, which contains a data source specific value. - `device.actor.process.file.created_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901. - `device.actor.process.file.created_time_dt` (string,null) The time when the file was created. - `device.actor.process.file.creator` (object) The User object describes the characteristics of a user/person or a security principal. Defined by D3FEND d3f:UserAccount. - `device.actor.process.file.desc` (string,null) The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type. - `device.actor.process.file.ext` (string,null) The extension of the file, excluding the leading dot. For example: exe from svchost.exe, or gz from export.tar.gz. - `device.actor.process.file.hashes` (array,null) An array of hash attributes. - `device.actor.process.file.is_system` (boolean,null) The indication of whether the object is part of the operating system. - `device.actor.process.file.labels` (array,null) Labels associated with the object, such as security or sensitivity labels created by a scanning app. - `device.actor.process.file.mime_type` (string,null) The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. - `device.actor.process.file.modified_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901. - `device.actor.process.file.modified_time_dt` (string,null) The time when the file was last modified. - `device.actor.process.file.modifier` (object) The User object describes the characteristics of a user/person or a security principal. Defined by D3FEND d3f:UserAccount. - `device.actor.process.file.owner` (object) The User object describes the characteristics of a user/person or a security principal. Defined by D3FEND d3f:UserAccount. - `device.actor.process.file.parent_folder` (string,null) The parent folder in which the file resides. For example: c:\windows\system32 - `device.actor.process.file.path` (string,null) The full path to the file. For example: c:\windows\system32\svchost.exe. - `device.actor.process.file.product` (object) The Product object describes characteristics of a software product. - `device.actor.process.file.security_descriptor` (string,null) The object security descriptor. - `device.actor.process.file.signature` (object) The Digital Signature object contains information about the cryptographic mechanism used to verify the authenticity, integrity, and origin of the file or application. - `device.actor.process.file.signature.algorithm_id` (integer, required) DigitalSignatureAlgorithmId is an enum, and the following values are allowed. 0 - Unknown: The algorithm is unknown. 1 - DSA: Digital Signature Algorithm (DSA). 2 - RSA: Rivest-Shamir-Adleman (RSA) Algorithm. 3 - ECDSA: Elliptic Curve Digital Signature Algorithm. 4 - Authenticode: Microsoft Authenticode Digital Signature Algorithm. 99 - Other: The algorithm is not mapped. See the algorithm attribute, which contains a data source specific value. - `device.actor.process.file.signature.algorithm` (string,null) The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - `device.actor.process.file.signature.certificate` (object) The Digital Certificate, also known as a Public Key Certificate, object contains information about the ownership and usage of a public key. It serves as a means to establish trust in the authenticity and integrity of the public key and the associated entity. Defined by D3FEND d3f:Certificate. - `device.actor.process.file.signature.certificate.fingerprints` (array, required) The fingerprint list of the certificate. - `device.actor.process.file.signature.certificate.issuer` (string, required) The certificate issuer distinguished name. - `device.actor.process.file.signature.certificate.serial_number` (string, required) The serial number of the certificate used to create the digital signature. - `device.actor.process.file.signature.certificate.created_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901. - `device.actor.process.file.signature.certificate.created_time_dt` (string,null) The time when the certificate was created. - `device.actor.process.file.signature.certificate.expiration_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901. - `device.actor.process.file.signature.certificate.expiration_time_dt` (string,null) The expiration time of the certificate. - `device.actor.process.file.signature.certificate.is_self_signed` (boolean,null) Denotes whether a digital certificate is self-signed or signed by a known certificate authority (CA). - `device.actor.process.file.signature.certificate.subject` (string,null) The certificate subject distinguished name. - `device.actor.process.file.signature.certificate.uid` (string,null) The unique identifier of the certificate. - `device.actor.process.file.signature.certificate.version` (string,null) The certificate version. - `device.actor.process.file.signature.created_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901. - `device.actor.process.file.signature.created_time_dt` (string,null) The time when the digital signature was created. - `device.actor.process.file.signature.developer_uid` (string,null) The developer ID on the certificate that signed the file. - `device.actor.process.file.signature.digest` (object) The Fingerprint object provides detailed information about a digital fingerprint, which is a compact representation of data used to identify a longer piece of information, such as a public key or file content. It contains the algorithm and value of the fingerprint, enabling efficient and reliable identification of the associated data. - `device.actor.process.file.signature.state` (string,null) The digital signature state defines the signature state, normalized to the caption of 'state_id'. In the case of 'Other', it is defined by the event source. - `device.actor.process.file.signature.state_id` (integer) DigitalSignatureStateId is an enum, and the following values are allowed. 0 - Unknown: The state is unknown. 1 - Valid: The digital signature is valid. 2 - Expired: The digital signature is not valid due to expiration of certificate. 3 - Revoked: The digital signature is invalid due to certificate revocation. 4 - Suspended: The digital signature is invalid due to certificate suspension. 5 - Pending: The digital signature state is pending. 99 - Other: The state is not mapped. See the state attribute, which contains a data source specific value. - `device.actor.process.file.size` (integer,null) The size of data, in bytes. - `device.actor.process.file.type` (string,null) The file type. - `device.actor.process.file.uid` (string,null) The unique identifier of the file as defined by the storage system, such the file system file ID. - `device.actor.process.file.url` (object) The Uniform Resource Locator(URL) object describes the characteristics of a URL. Defined in RFC 1738 and by D3FEND d3f:URL. - `device.actor.process.file.url.categories` (array,null) The Website categorization names, as defined by category_ids enum values. - `device.actor.process.file.url.category_ids` (array,null) The Website categorization identifiers. - `device.actor.process.file.url.domain` (string,null) The domain portion of the URL. For example: example.com in https://sub.example.com. - `device.actor.process.file.url.hostname` (string) Unique name assigned to a device connected to a computer network. A domain name in general is an Internet address that can be resolved through the Domain Name System (DNS). For example: r2-d2.example.com. - `device.actor.process.file.url.path` (string,null) The URL path as extracted from the URL. For example: /download/trouble from www.example.com/download/trouble. - `device.actor.process.file.url.port` (integer) The TCP/UDP port number. For example: 80 or 22. - `device.actor.process.file.url.query_string` (string,null) The query portion of the URL. For example: the query portion of the URL http://www.example.com/search?q=bad&sort=date is q=bad&sort=date. - `device.actor.process.file.url.resource_type` (string,null) The context in which a resource was retrieved in a web request. - `device.actor.process.file.url.scheme` (string,null) The scheme portion of the URL. For example: http, https, ftp, or sftp. - `device.actor.process.file.url.subdomain` (string,null) The subdomain portion of the URL. For example: sub in https://sub.example.com or sub2.sub1 in https://sub2.sub1.example.com. - `device.actor.process.file.url.url_string` (string) Uniform Resource Locator (URL) string. For example: http://www.example.com/download/trouble.exe. - `device.actor.process.file.version` (string,null) The file version. For example: 8.0.7601.17514. - `device.actor.process.file.xattributes` (object) An unordered collection of attributes. It defines a set of attributes available in all objects. It can be also used as a generic object to log objects that are not otherwise defined by the schema. - `device.actor.process.group` (object) The Group object represents a collection or association of entities, such as users, policies, or devices. It serves as a logical grouping mechanism to organize and manage entities with similar characteristics or permissions within a system or organization. - `device.actor.process.integrity` (string,null) The process integrity level, normalized to the caption of the integrity_id value. In the case of 'Other', it is defined by the event source (Windows only). - `device.actor.process.integrity_id` (integer) ProcessIntegrityId is an enum, and the following values are allowed. 0 - Unknown: The integrity level is unknown. 1 - Untrusted 2 - Low 3 - Medium 4 - High 5 - System 6 - Protected 99 - Other: The integrity level is not mapped. See the integrity attribute, which contains a data source specific value. - `device.actor.process.lineage` (array,null) The lineage of the process, represented by a list of paths for each ancestor process. For example: ['/usr/sbin/sshd', '/usr/bin/bash', '/usr/bin/whoami']. - `device.actor.process.loaded_modules` (array,null) The list of loaded module names. - `device.actor.process.name` (string) Process name. For example: Notepad. - `device.actor.process.namespace_pid` (integer,null) If running under a process namespace (such as in a container), the process identifier within that process namespace. - `device.actor.process.parent_process` (object) An unordered collection of attributes. It defines a set of attributes available in all objects. It can be also used as a generic object to log objects that are not otherwise defined by the schema. - `device.actor.process.pid` (integer,null) The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. - `device.actor.process.sandbox` (string,null) The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. - `device.actor.process.session` (object) The Session object describes details about an authenticated session. e.g. Session Creation Time, Session Issuer. Defined by D3FEND d3f:Session. - `device.actor.process.session.count` (integer,null) The number of identical sessions spawned from the same source IP, destination IP, application, and content/threat type seen over a period of time. - `device.actor.process.session.created_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901. - `device.actor.process.session.created_time_dt` (string,null) The time when the session was created. - `device.actor.process.session.credential_uid` (string,null) The unique identifier of the user's credential. For example, AWS Access Key ID. - `device.actor.process.session.expiration_reason` (string,null) The reason which triggered the session expiration. - `device.actor.process.session.expiration_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901. - `device.actor.process.session.expiration_time_dt` (string,null) The session expiration time. - `device.actor.process.session.is_mfa` (boolean,null) Indicates whether Multi Factor Authentication was used during authentication. - `device.actor.process.session.is_remote` (boolean,null) The indication of whether the session is remote. - `device.actor.process.session.is_vpn` (boolean,null) The indication of whether the session is a VPN session. - `device.actor.process.session.issuer` (string,null) The identifier of the session issuer. - `device.actor.process.session.terminal` (string,null) The Pseudo Terminal associated with the session. Ex: the tty or pts value. - `device.actor.process.session.uid` (string,null) The unique identifier of the session. - `device.actor.process.session.uid_alt` (string,null) The alternate unique identifier of the session. e.g. AWS ARN - arn:aws:sts::123344444444:assumed-role/Admin/example-session. - `device.actor.process.session.uuid` (string,null) The universally unique identifier of the session. - `device.actor.process.terminated_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901. - `device.actor.process.terminated_time_dt` (string,null) The time when the process was terminated. - `device.actor.process.tid` (integer,null) The Identifier of the thread associated with the event, as returned by the operating system. - `device.actor.process.uid` (string,null) A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. - `device.actor.process.user` (object) The User object describes the characteristics of a user/person or a security principal. Defined by D3FEND d3f:UserAccount. - `device.actor.process.xattributes` (object) An unordered collection of attributes. It defines a set of attributes available in all objects. It can be also used as a generic object to log objects that are not otherwise defined by the schema. - `device.actor.session` (object) The Session object describes details about an authenticated session. e.g. Session Creation Time, Session Issuer. Defined by D3FEND d3f:Session. - `device.actor.user` (object) The User object describes the characteristics of a user/person or a security principal. Defined by D3FEND d3f:UserAccount. - `device.api` (object) The API, or Application Programming Interface, object represents information pertaining to an API request and response. - `device.api.operation` (string, required) Verb/Operation associated with the request - `device.api.group` (object) The Group object represents a collection or association of entities, such as users, policies, or devices. It serves as a logical grouping mechanism to organize and manage entities with similar characteristics or permissions within a system or organization. - `device.api.request` (object) The Request Elements object describes characteristics of an API request. - `device.api.request.uid` (string, required) The unique request identifier. - `device.api.request.containers` (array,null) When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. For example, this may be the set of containers involved in handling api requests and responses for a containerized application. - `device.api.request.data` (any,null) The additional data that is associated with the api request. - `device.api.request.flags` (array,null) The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. - `device.api.response` (object) The Response Elements object describes characteristics of an API response. - `device.api.response.code` (integer,null) The numeric response sent to a request. - `device.api.response.containers` (array,null) When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. For example, this may be the set of containers involved in handling api requests and responses for a containerized application. - `device.api.response.data` (any,null) The additional data that is associated with the api response. - `device.api.response.error` (string,null) Error Code - `device.api.response.error_message` (string,null) Error Message - `device.api.response.flags` (array,null) The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. - `device.api.response.message` (string,null) The description of the event/finding, as defined by the source. - `device.api.service` (object) The Service object describes characteristics of a service, e.g. AWS EC2. - `device.api.service.labels` (array,null) The list of labels associated with the service. - `device.api.service.name` (string,null) The name of the service. - `device.api.service.uid` (string,null) The unique identifier of the service. - `device.api.service.version` (string,null) The version of the service. - `device.api.version` (string,null) The version of the API service. - `device.category_name` (string,null) The event category name, as defined by category_uid value: Discovery. - `device.cloud` (object) The Cloud object contains information about a cloud account such as AWS Account ID, regions, etc. - `device.cloud.provider` (string, required) The unique name of the Cloud services provider, such as AWS, MS Azure, GCP, etc. - `device.cloud.account` (object) The Account object contains details about the account that initiated or performed a specific activity within a system or application. - `device.cloud.org` (object) The Organization object describes characteristics of an organization or company and its division if any. - `device.cloud.project_uid` (string,null) The unique identifier of a Cloud project. - `device.cloud.region` (string,null) The name of the cloud region, as defined by the cloud provider. - `device.cloud.zone` (string,null) The availability zone in the cloud region, as defined by the cloud provider. - `device.count` (integer,null) The number of times that events in the same logical group occurred during the event Start Time to End Time period. - `device.custom_fields` (object) An unordered collection of attributes. It defines a set of attributes available in all objects. It can be also used as a generic object to log objects that are not otherwise defined by the schema. - `device.duration` (integer,null) The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds. - `device.end_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901. - `device.end_time_dt` (string,null) The end time of a time period, or the time of the most recent event included in the aggregate event. - `device.enrichments` (array,null) The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{"name": "answers.ip", "value": "92.24.47.250", "type": "location", "data": {"city": "Socotra", "continent": "Asia", "coordinates": [-25.4153, 17.0743], "country": "YE", "desc": "Yemen"}}] - `device.enrichments.data` (any, required) The enrichment data associated with the attribute and value. The meaning of this data depends on the type the enrichment record. - `device.enrichments.name` (string, required) The name of the attribute to which the enriched data pertains. - `device.enrichments.value` (string, required) The value of the attribute to which the enriched data pertains. - `device.enrichments.created_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901. - `device.enrichments.created_time_dt` (string,null) The time when the enrichment data was generated. - `device.enrichments.desc` (string,null) A long description of the enrichment data. - `device.enrichments.provider` (string,null) The enrichment data provider name. - `device.enrichments.reputation` (object) The Reputation object describes the reputation/risk score of an entity (e.g. device, user, domain). - `device.enrichments.reputation.base_score` (number, required) The reputation score as reported by the event source. - `device.enrichments.reputation.score_id` (integer, required) ReputationScoreId is an enum, and the following values are allowed. 0 - Unknown: The reputation score is unknown. 1 - VerySafe: Long history of good behavior. 2 - Safe: Consistently good behavior. 3 - ProbablySafe: Reasonable history of good behavior. 4 - LeansSafe: Starting to establish a history of normal behavior. 5 - MaynotbeSafe: No established history of normal behavior. 6 - ExerciseCaution: Starting to establish a history of suspicious or risky behavior. 7 - Risky: A site with a history of suspicious or risky behavior. (spam, scam, potentially unwanted software, potentially malicious). 8 - PossiblyMalicious: Strong possibility of maliciousness. 9 - ProbablyMalicious: Indicators of maliciousness. 10 - Malicious: Proven evidence of maliciousness. 99 - Other: The reputation score is not mapped. See the rep_score attribute, which contains a data source specific value. - `device.enrichments.reputation.provider` (string,null) The provider of the reputation information. - `device.enrichments.reputation.score` (string,null) The reputation score, normalized to the caption of the score_id value. In the case of 'Other', it is defined by the event source. - `device.enrichments.short_desc` (string,null) A short description of the enrichment data. - `device.enrichments.src_url` (string) Uniform Resource Locator (URL) string. For example: http://www.example.com/download/trouble.exe. - `device.enrichments.type` (string,null) The enrichment type. For example: location. - `device.message` (string,null) The description of the event/finding, as defined by the source. - `device.observables` (array,null) The observables associated with the event or a finding. - `device.observables.name` (string, required) The full name of the observable attribute. The name is a pointer/reference to an attribute within the event data. For example: file.name. - `device.observables.type_id` (integer, required) ObservableTypeId is an enum, and the following values are allowed. 0 - Unknown: Unknown observable data type. 1 - Hostname: Unique name assigned to a device connected to a computer network. A domain name in general is an Internet address that can be resolved through the Domain Name System (DNS). For example: r2-d2.example.com. 2 - IPAddress: Internet Protocol address (IP address), in either IPv4 or IPv6 format. For example, 192.168.200.24 or 2001:0db8:85a3:0000:0000:8a2e:0370:7334. 3 - MACAddress: Media Access Control (MAC) address. For example: 18:36:F3:98:4F:9A. 4 - UserName: User name. For example: john_doe. 5 - EmailAddress: Email address. For example: john_doe@example.com. 6 - URLString: Uniform Resource Locator (URL) string. For example: http://www.example.com/download/trouble.exe. 7 - FileName: File name. For example: text-file.txt. 8 - Hash: Hash. A unique value that corresponds to the content of the file, image, ja3_hash or hassh found in the schema. For example MD5: 3172ac7e2b55cbb81f04a6e65855a628. 9 - ProcessName: Process name. For example: Notepad. 10 - ResourceUID: Resource unique identifier. For example, S3 Bucket name or EC2 Instance ID. 11 - Port: The TCP/UDP port number. For example: 80 or 22. 12 - Subnet: The subnet represented in a CIDR notation, using the format network_address/prefix_length. The network_address can be in either IPv4 or IPv6 format. The prefix length indicates the number of bits used for the network portion, and the remaining bits are available for host addresses within that subnet. For example:192.168.1.0/242001:0db8:85a3:0000::/64 20 - Endpoint: The Endpoint object describes a physical or virtual device that connects to and exchanges information with a computer network. Some examples of endpoints are mobile devices, desktop computers, virtual machines, embedded devices, and servers. Internet-of-Things devices—like cameras, lighting, refrigerators, security systems, smart speakers, and thermostats—are also endpoints. 21 - User: The User object describes the characteristics of a user/person or a security principal. Defined by D3FEND d3f:UserAccount. 22 - Email: The Email object describes the email metadata such as sender, recipients, and direction. Defined by D3FEND d3f:Email. 23 - UniformResourceLocator: The Uniform Resource Locator(URL) object describes the characteristics of a URL. Defined in RFC 1738 and by D3FEND d3f:URL. 24 - File: The File object represents the metadata associated with a file stored in a computer system. It encompasses information about the file itself, including its attributes, properties, and organizational details. Defined by D3FEND d3f:File. 25 - Process: The Process object describes a running instance of a launched program. Defined by D3FEND d3f:Process. 26 - GeoLocation: The Geo Location object describes a geographical location, usually associated with an IP address. Defined by D3FEND d3f:PhysicalLocation. 27 - Container: The Container object describes an instance of a specific container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd. 30 - Fingerprint: The Fingerprint object provides detailed information about a digital fingerprint, which is a compact representation of data used to identify a longer piece of information, such as a public key or file content. It contains the algorithm and value of the fingerprint, enabling efficient and reliable identification of the associated data. 99 - Other: The observable data type is not mapped. See the type attribute, which may contain data source specific value. - `device.observables.reputation` (object) The Reputation object describes the reputation/risk score of an entity (e.g. device, user, domain). - `device.observables.type` (string,null) The observable value type name. - `device.observables.value` (string,null) The value associated with the observable attribute. The meaning of the value depends on the observable type.If the name refers to a scalar attribute, then the value is the value of the attribute.If the name refers to an object attribute, then the value is not populated. - `device.osint` (array,null) The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers. - `device.osint.type_id` (integer, required) OsintTypeId is an enum, and the following values are allowed. 0 - Unknown: The indicator type is ambiguous or there is not a related indicator for the OSINT object. 1 - IPAddress: An IPv4 or IPv6 address. 2 - Domain: A full-qualified domain name (FQDN), subdomain, or partial domain. 3 - Hostname: A hostname or computer name. 4 - Hash: Any type of hash e.g., MD5, SHA1, SHA2, BLAKE, BLAKE2, etc. generated from a file, malware sample, request header, or otherwise. 5 - URL: A Uniform Resource Locator (URL) or Uniform Resource Indicator (URI). 6 - UserAgent: A User Agent typically seen in HTTP request headers. 7 - DigitalCertificate: The serial number, fingerprint, or full content of an X.509 digital certificate. 8 - Email: The contents of an email or any related information to an email object. 9 - EmailAddress: An email address. 10 - Vulnerability: A CVE ID, CWE ID, or other identifier for a weakness, exploit, bug, or misconfiguration. 99 - Other: The indicator type is not directly listed. - `device.osint.value` (string, required) The actual indicator value in scope, e.g., a SHA-256 hash hexdigest or a domain name. - `device.osint.answers` (array,null) Any pertinent DNS answers information related to an indicator or OSINT analysis. - `device.osint.answers.rdata` (string, required) The data describing the DNS resource. The meaning of this data depends on the type and class of the resource record. - `device.osint.answers.class` (string,null) The class of DNS data contained in this resource record. See RFC1035. For example: IN. - `device.osint.answers.flag_ids` (array,null) The list of DNS answer header flag IDs. - `device.osint.answers.flags` (array,null) The list of DNS answer header flags. - `device.osint.answers.packet_uid` (integer,null) The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. - `device.osint.answers.ttl` (integer,null) The time interval that the resource record may be cached. Zero value means that the resource record can only be used for the transaction in progress, and should not be cached. - `device.osint.answers.type` (string,null) The type of data contained in this resource record. See RFC1035. For example: CNAME. - `device.osint.attacks` (array,null) MITRE ATT&CK Tactics, Techniques, and/or Procedures (TTPs) pertinent to an indicator or OSINT analysis. - `device.osint.attacks.sub_technique` (object) The MITRE ATT&CK® Sub Technique object describes the sub technique ID and/or name associated to an attack, as defined by ATT&CK® Matrix. - `device.osint.attacks.sub_technique.name` (string,null) The name of the attack sub technique, as defined by ATT&CK® Matrix. For example: Scanning IP Blocks. - `device.osint.attacks.sub_technique.src_url` (string) Uniform Resource Locator (URL) string. For example: http://www.example.com/download/trouble.exe. - `device.osint.attacks.sub_technique.uid` (string,null) The unique identifier of the attack sub technique, as defined by ATT&CK® Matrix. For example: T1595.001. - `device.osint.attacks.tactic` (object) The MITRE ATT&CK® Tactic object describes the tactic ID and/or name that is associated to an attack, as defined by ATT&CK® Matrix. - `device.osint.attacks.tactic.name` (string,null) The tactic name that is associated with the attack technique, as defined by ATT&CK® Matrix. For example: Reconnaissance. - `device.osint.attacks.tactic.src_url` (string) Uniform Resource Locator (URL) string. For example: http://www.example.com/download/trouble.exe. - `device.osint.attacks.tactic.uid` (string,null) The tactic ID that is associated with the attack technique, as defined by ATT&CK® Matrix. For example: TA0043. - `device.osint.attacks.tactics` (array,null) The Tactic object describes the tactic ID and/or tactic name that are associated with the attack technique, as defined by ATT&CK® Matrix. - `device.osint.attacks.technique` (object) The MITRE ATT&CK® Technique object describes the technique ID and/or name associated to an attack, as defined by ATT&CK® Matrix. - `device.osint.attacks.technique.name` (string,null) The name of the attack technique, as defined by ATT&CK® Matrix. For example: Active Scanning. - `device.osint.attacks.technique.src_url` (string) Uniform Resource Locator (URL) string. For example: http://www.example.com/download/trouble.exe. - `device.osint.attacks.technique.uid` (string,null) The unique identifier of the attack technique, as defined by ATT&CK® Matrix. For example: T1595. - `device.osint.attacks.version` (string,null) The ATT&CK® Matrix version. - `device.osint.autonomous_system` (object) An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet. - `device.osint.autonomous_system.name` (string,null) Organization name for the Autonomous System. - `device.osint.autonomous_system.number` (integer,null) Unique number that the AS is identified by. - `device.osint.comment` (string,null) Analyst commentary or source commentary about an indicator or OSINT analysis. - `device.osint.confidence` (string,null) The confidence of an indicator being malicious and/or pertinent, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source or analyst. - `device.osint.confidence_id` (integer) OsintConfidenceId is an enum, and the following values are allowed. 0 - Unknown: The normalized confidence is unknown. 1 - Low 2 - Medium 3 - High 99 - Other: The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value. - `device.osint.email` (object) The Email object describes the email metadata such as sender, recipients, and direction. Defined by D3FEND d3f:Email. - `device.osint.email.from` (string, required) Email address. For example: john_doe@example.com. - `device.osint.email.to` (array, required) The email header To values, as defined by RFC 5322. - `device.osint.email.bcc` (array,null) The BCC recipients of the email. Similar to cc field but for BCC recipients. - `device.osint.email.cc` (array,null) The email header Cc values, as defined by RFC 5322. - `device.osint.email.delivered_to` (string) Email address. For example: john_doe@example.com. - `device.osint.email.files` (array,null) The files that are part of the event or object. - `device.osint.email.is_externally_viewable` (boolean,null) True if the email is viewable externally (presumably by external users). - `device.osint.email.labels` (array,null) Labels associated with the object, such as security or sensitivity labels created by a scanning app. - `device.osint.email.message_uid` (string,null) The email header Message-Id value, as defined by RFC 5322. - `device.osint.email.raw_header` (string,null) The email authentication header. - `device.osint.email.reply_to` (string) Email address. For example: john_doe@example.com. - `device.osint.email.sender_mailbox_uid` (string,null) Unique ID of the sender mailbox. This is distinct from the sender's email address. - `device.osint.email.size` (integer,null) The size in bytes of the email, including attachments. - `device.osint.email.smtp_from` (string) Email address. For example: john_doe@example.com. - `device.osint.email.smtp_to` (array,null) The value of the SMTP envelope RCPT TO command. - `device.osint.email.subject` (string,null) The email header Subject value, as defined by RFC 5322. - `device.osint.email.time_sent` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901. - `device.osint.email.time_sent_dt` (string,null) The time at which the email was sent. - `device.osint.email.uid` (string,null) The email unique identifier. - `device.osint.email.x_originating_ip` (array,null) The X-Originating-IP header identifying the emails originating IP address(es). - `device.osint.email_auth` (object) The Email Authentication object describes the Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting and Conformance (DMARC) attributes of an email. - `device.osint.email_auth.dkim` (string,null) The DomainKeys Identified Mail (DKIM) status of the email. - `device.osint.email_auth.dkim_domain` (string,null) The DomainKeys Identified Mail (DKIM) signing domain of the email. - `device.osint.email_auth.dkim_signature` (string,null) The DomainKeys Identified Mail (DKIM) signature used by the sending/receiving system. - `device.osint.email_auth.dmarc` (string,null) The Domain-based Message Authentication, Reporting and Conformance (DMARC) status of the email. - `device.osint.email_auth.dmarc_override` (string,null) The Domain-based Message Authentication, Reporting and Conformance (DMARC) override action. - `device.osint.email_auth.dmarc_policy` (string,null) The Domain-based Message Authentication, Reporting and Conformance (DMARC) policy status. - `device.osint.email_auth.spf` (string,null) The Sender Policy Framework (SPF) status of the email. - `device.osint.kill_chain` (array,null) Lockheed Martin Kill Chain Phases pertinent to an indicator or OSINT analysis. - `device.osint.kill_chain.phase_id` (integer, required) KillChainPhasePhaseId is an enum, and the following values are allowed. 0 - Unknown: The kill chain phase is unknown. 1 - Reconnaissance: The attackers pick a target and perform a detailed analysis, start collecting information (email addresses, conferences information, etc.) and evaluate the victim’s vulnerabilities to determine how to exploit them. 2 - Weaponization: The attackers develop a malware weapon and aim to exploit the discovered vulnerabilities. 3 - Delivery: The intruders will use various tactics, such as phishing, infected USB drives, etc. 4 - Exploitation: The intruders start leveraging vulnerabilities to executed code on the victim’s system. 5 - Installation: The intruders install malware on the victim’s system. 6 - Control: Malware opens a command channel to enable the intruders to remotely manipulate the victim's system. 7 - ActionsonObjectives: With hands-on keyboard access, intruders accomplish the mission’s goal. 99 - Other: The kill chain phase is not mapped. See the phase attribute, which contains a data source specific value. - `device.osint.kill_chain.phase` (string,null) The cyber kill chain phase. - `device.osint.location` (object) The Geo Location object describes a geographical location, usually associated with an IP address. Defined by D3FEND d3f:PhysicalLocation. - `device.osint.name` (string,null) The name of the entity. - `device.osint.signatures` (array,null) Any digital signatures or hashes related to an indicator or OSINT analysis. - `device.osint.src_url` (string) Uniform Resource Locator (URL) string. For example: http://www.example.com/download/trouble.exe. - `device.osint.subdomains` (array,null) Any pertinent subdomain information - such as those generated by a Domain Generation Algorithm - related to an indicator or OSINT analysis. - `device.osint.tlp` (string) OsintTlp is an enum, and the following values are allowed. AMBER - AMBER: TLP:AMBER is for limited disclosure, recipients can only spread this on a need-to-know basis within their organization and its clients. Note that TLP:AMBER+STRICT restricts sharing to the organization only. Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risk to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may share TLP:AMBER information with members of their own organization and its clients, but only on a need-to-know basis to protect their organization and its clients and prevent further harm. Note: if the source wants to restrict sharing to the organization only, they must specify TLP:AMBER+STRICT. AMBER STRICT - AMBER_STRICT: TLP:AMBER is for limited disclosure, recipients can only spread this on a need-to-know basis within their organization and its clients. Note that TLP:AMBER+STRICT restricts sharing to the organization only. Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risk to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may share TLP:AMBER information with members of their own organization and its clients, but only on a need-to-know basis to protect their organization and its clients and prevent further harm. Note: if the source wants to restrict sharing to the organization only, they must specify TLP:AMBER+STRICT. CLEAR - CLEAR: TLP:CLEAR denotes that recipients can spread this to the world, there is no limit on disclosure. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction. GREEN - GREEN: TLP:GREEN is for limited disclosure, recipients can spread this within their community. Sources may use TLP:GREEN when information is useful to increase awareness within their wider community. Recipients may share TLP:GREEN information with peers and partner organizations within their community, but not via publicly accessible channels. TLP:GREEN information may not be shared outside of the community. Note: when “community” is not defined, assume the cybersecurity/defense community. RED - RED: TLP:RED is for the eyes and ears of individual recipients only, no further disclosure. Sources may use TLP:RED when information cannot be effectively acted upon without significant risk for the privacy, reputation, or operations of the organizations involved. Recipients may therefore not share TLP:RED information with anyone else. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. - `device.osint.type` (string,null) The OSINT indicator type. - `device.osint.uid` (string,null) The unique identifier of the entity. - `device.osint.vendor_name` (string,null) The vendor name of a tool which generates intelligence or provides indicators. - `device.osint.vulnerabilities` (array,null) Any vulnerabilities related to an indicator or OSINT analysis. - `device.osint.vulnerabilities.affected_code` (array,null) List of Affected Code objects that describe details about code blocks identified as vulnerable. - `device.osint.vulnerabilities.affected_code.file` (object, required) The File object represents the metadata associated with a file stored in a computer system. It encompasses information about the file itself, including its attributes, properties, and organizational details. Defined by D3FEND d3f:File. - `device.osint.vulnerabilities.affected_code.end_line` (integer,null) The line number of the last line of code block identified as vulnerable. - `device.osint.vulnerabilities.affected_code.owner` (object) The User object describes the characteristics of a user/person or a security principal. Defined by D3FEND d3f:UserAccount. - `device.osint.vulnerabilities.affected_code.remediation` (object) The Remediation object describes the recommended remediation steps to address identified issue(s). - `device.osint.vulnerabilities.affected_code.remediation.desc` (string, required) The description of the remediation strategy. - `device.osint.vulnerabilities.affected_code.remediation.kb_article_list` (array,null) A list of KB articles or patches related to an endpoint. A KB Article contains metadata that describes the patch or an update. - `device.osint.vulnerabilities.affected_code.remediation.kb_articles` (array,null) The KB article/s related to the entity. A KB Article contains metadata that describes the patch or an update. - `device.osint.vulnerabilities.affected_code.remediation.references` (array,null) A list of supporting URL/s, references that help describe the remediation strategy. - `device.osint.vulnerabilities.affected_code.start_line` (integer,null) The line number of the first line of code block identified as vulnerable. - `device.osint.vulnerabilities.affected_packages` (array,null) List of software packages identified as affected by a vulnerability/vulnerabilities. - `device.osint.vulnerabilities.affected_packages.name` (string, required) The software package name. - `device.osint.vulnerabilities.affected_packages.version` (string, required) The software package version. - `device.osint.vulnerabilities.affected_packages.architecture` (string,null) Architecture is a shorthand name describing the type of computer hardware the packaged software is meant to run on. - `device.osint.vulnerabilities.affected_packages.cpe_name` (string,null) The Common Platform Enumeration (CPE) name for the software package. - `device.osint.vulnerabilities.affected_packages.epoch` (integer,null) The software package epoch. Epoch is a way to define weighted dependencies based on version numbers. - `device.osint.vulnerabilities.affected_packages.fixed_in_version` (string,null) The software package version in which a reported vulnerability was patched/fixed. - `device.osint.vulnerabilities.affected_packages.hash` (object) The Fingerprint object provides detailed information about a digital fingerprint, which is a compact representation of data used to identify a longer piece of information, such as a public key or file content. It contains the algorithm and value of the fingerprint, enabling efficient and reliable identification of the associated data. - `device.osint.vulnerabilities.affected_packages.license` (string,null) The software license applied to this package. - `device.osint.vulnerabilities.affected_packages.package_manager` (string,null) The software packager manager utilized to manage a package on a system, e.g. npm, yum, dpkg etc. - `device.osint.vulnerabilities.affected_packages.path` (string,null) The installation path of the affected package. - `device.osint.vulnerabilities.affected_packages.purl` (string,null) A purl is a URL string used to identify and locate a software package in a mostly universal and uniform way across programming languages, package managers, packaging conventions, tools, APIs and databases. - `device.osint.vulnerabilities.affected_packages.release` (string,null) Release is the number of times a version of the software has been packaged. - `device.osint.vulnerabilities.affected_packages.remediation` (object) The Remediation object describes the recommended remediation steps to address identified issue(s). - `device.osint.vulnerabilities.affected_packages.type` (string,null) The type of software package, normalized to the caption of the type_id value. In the case of 'Other', it is defined by the source. - `device.osint.vulnerabilities.affected_packages.type_id` (integer) AffectedPackageTypeId is an enum, and the following values are allowed. 0 - Unknown: The type is unknown. 1 - Application: An application software package. 2 - OperatingSystem: An operating system software package. 99 - Other: The type is not mapped. See the type attribute, which contains a data source specific value. - `device.osint.vulnerabilities.affected_packages.vendor_name` (string,null) The name of the vendor who published the software package. - `device.osint.vulnerabilities.cve` (object) The Common Vulnerabilities and Exposures (CVE) object represents publicly disclosed cybersecurity vulnerabilities defined in CVE Program catalog (CVE). There is one CVE Record for each vulnerability in the catalog. - `device.osint.vulnerabilities.cve.uid` (string, required) The Common Vulnerabilities and Exposures unique number assigned to a specific computer vulnerability. A CVE Identifier begins with 4 digits representing the year followed by a sequence of digits that acts as a unique identifier. For example: CVE-2021-12345. - `device.osint.vulnerabilities.cve.created_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901. - `device.osint.vulnerabilities.cve.created_time_dt` (string,null) The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. Note that the Record Creation Date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. - `device.osint.vulnerabilities.cve.cvss` (array,null) The CVSS object details Common Vulnerability Scoring System (CVSS) scores from the advisory that are related to the vulnerability. - `device.osint.vulnerabilities.cve.cvss.base_score` (number, required) The CVSS base score. For example: 9.1. - `device.osint.vulnerabilities.cve.cvss.version` (string, required) The CVSS version. For example: 3.1. - `device.osint.vulnerabilities.cve.cvss.depth` (string) CvssDepth is an enum, and the following values are allowed. Base - Base Environmental - Environmental Temporal - Temporal - `device.osint.vulnerabilities.cve.cvss.metrics` (array,null) The Common Vulnerability Scoring System metrics. This attribute contains information on the CVE's impact. If the CVE has been analyzed, this attribute will contain any CVSSv2 or CVSSv3 information associated with the vulnerability. For example: { {"Access Vector", "Network"}, {"Access Complexity", "Low"}, ...}. - `device.osint.vulnerabilities.cve.cvss.overall_score` (number,null) The CVSS overall score, impacted by base, temporal, and environmental metrics. For example: 9.1. - `device.osint.vulnerabilities.cve.cvss.severity` (string,null) The Common Vulnerability Scoring System (CVSS) Qualitative Severity Rating. A textual representation of the numeric score.CVSS v2.0Low (0.0 – 3.9)Medium (4.0 – 6.9)High (7.0 – 10.0)CVSS v3.0None (0.0)Low (0.1 - 3.9)Medium (4.0 - 6.9)High (7.0 - 8.9)Critical (9.0 - 10.0) - `device.osint.vulnerabilities.cve.cvss.vector_string` (string,null) The CVSS vector string is a text representation of a set of CVSS metrics. It is commonly used to record or transfer CVSS metric information in a concise form. For example: 3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H. - `device.osint.vulnerabilities.cve.cwe` (object) The CWE object represents a weakness in a software system that can be exploited by a threat actor to perform an attack. The CWE object is based on the Common Weakness Enumeration (CWE) catalog. - `device.osint.vulnerabilities.cve.cwe.uid` (string, required) The Common Weakness Enumeration unique number assigned to a specific weakness. A CWE Identifier begins "CWE" followed by a sequence of digits that acts as a unique identifier. For example: CWE-123. - `device.osint.vulnerabilities.cve.cwe.caption` (string,null) The caption assigned to the Common Weakness Enumeration unique identifier. - `device.osint.vulnerabilities.cve.cwe.src_url` (string) Uniform Resource Locator (URL) string. For example: http://www.example.com/download/trouble.exe. - `device.osint.vulnerabilities.cve.cwe_uid` (string,null) The Common Weakness Enumeration (CWE) unique identifier. For example: CWE-787. - `device.osint.vulnerabilities.cve.cwe_url` (string) Uniform Resource Locator (URL) string. For example: http://www.example.com/download/trouble.exe. - `device.osint.vulnerabilities.cve.desc` (string,null) A brief description of the CVE Record. - `device.osint.vulnerabilities.cve.epss` (object) The Exploit Prediction Scoring System (EPSS) object describes the estimated probability a vulnerability will be exploited. EPSS is a community-driven effort to combine descriptive information about vulnerabilities (CVEs) with evidence of actual exploitation in-the-wild. (EPSS). - `device.osint.vulnerabilities.cve.epss.score` (string, required) The EPSS score representing the probability [0-1] of exploitation in the wild in the next 30 days (following score publication). - `device.osint.vulnerabilities.cve.epss.created_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901. - `device.osint.vulnerabilities.cve.epss.created_time_dt` (string,null) The timestamp indicating when the EPSS score was calculated. - `device.osint.vulnerabilities.cve.epss.percentile` (number,null) The EPSS score's percentile representing relative importance and ranking of the score in the larger EPSS dataset. - `device.osint.vulnerabilities.cve.epss.version` (string,null) The version of the EPSS model used to calculate the score. - `device.osint.vulnerabilities.cve.modified_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901. - `device.osint.vulnerabilities.cve.modified_time_dt` (string,null) The Record Modified Date identifies when the CVE record was last updated. - `device.osint.vulnerabilities.cve.product` (object) The Product object describes characteristics of a software product. - `device.osint.vulnerabilities.cve.references` (array,null) A list of reference URLs with additional information about the CVE Record. - `device.osint.vulnerabilities.cve.title` (string,null) A title or a brief phrase summarizing the CVE record. - `device.osint.vulnerabilities.cve.type` (string,null) The vulnerability type as selected from a large dropdown menu during CVE refinement.Most frequently used vulnerability types are: DoS, Code Execution, Overflow, Memory Corruption, Sql Injection, XSS, Directory Traversal, Http Response Splitting, Bypass something, Gain Information, Gain Privileges, CSRF, File Inclusion. For more information see Vulnerabilities By Type distributions. - `device.osint.vulnerabilities.cwe` (object) The CWE object represents a weakness in a software system that can be exploited by a threat actor to perform an attack. The CWE object is based on the Common Weakness Enumeration (CWE) catalog. - `device.osint.vulnerabilities.desc` (string,null) The description of the vulnerability. - `device.osint.vulnerabilities.first_seen_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901. - `device.osint.vulnerabilities.first_seen_time_dt` (string,null) The time when the vulnerability was first observed. - `device.osint.vulnerabilities.fix_available` (boolean,null) Indicates if a fix is available for the reported vulnerability. - `device.osint.vulnerabilities.is_exploit_available` (boolean,null) Indicates if an exploit or a PoC (proof-of-concept) is available for the reported vulnerability. - `device.osint.vulnerabilities.is_fix_available` (boolean,null) Indicates if a fix is available for the reported vulnerability. - `device.osint.vulnerabilities.kb_article_list` (array,null) A list of KB articles or patches related to an endpoint. A KB Article contains metadata that describes the patch or an update. - `device.osint.vulnerabilities.kb_article_list.uid` (string, required) The unique identifier for the kb article. - `device.osint.vulnerabilities.kb_article_list.avg_timespan` (object) The Time Span object represents different time period durations. If a timespan is fractional, i.e. crosses one period, e.g. a week and 3 days, more than one may may be populated since each member is of integral type. In that case type_id if present should be set to Other. - `device.osint.vulnerabilities.kb_article_list.avg_timespan.duration` (integer,null) The duration of the time span in milliseconds. - `device.osint.vulnerabilities.kb_article_list.avg_timespan.duration_days` (integer,null) The duration of the time span in days. - `device.osint.vulnerabilities.kb_article_list.avg_timespan.duration_hours` (integer,null) The duration of the time span in hours. - `device.osint.vulnerabilities.kb_article_list.avg_timespan.duration_mins` (integer,null) The duration of the time span in minutes. - `device.osint.vulnerabilities.kb_article_list.avg_timespan.duration_months` (integer,null) The duration of the time span in months. - `device.osint.vulnerabilities.kb_article_list.avg_timespan.duration_secs` (integer,null) The duration of the time span in seconds. - `device.osint.vulnerabilities.kb_article_list.avg_timespan.duration_weeks` (integer,null) The duration of the time span in weeks. - `device.osint.vulnerabilities.kb_article_list.avg_timespan.duration_years` (integer,null) The duration of the time span in years. - `device.osint.vulnerabilities.kb_article_list.avg_timespan.type` (string,null) The type of time span duration the object represents. - `device.osint.vulnerabilities.kb_article_list.avg_timespan.type_id` (integer) TimespanTypeId is an enum, and the following values are allowed. 0 - Unknown: The type is unknown. 1 - Milliseconds 2 - Seconds 3 - Minutes 4 - Hours 5 - Days 6 - Weeks 7 - Months 8 - Years 99 - Other: The type is not mapped. See the type attribute, which contains a data source specific value. - `device.osint.vulnerabilities.kb_article_list.bulletin` (string,null) The kb article bulletin identifier. - `device.osint.vulnerabilities.kb_article_list.classification` (string,null) The vendors classification of the kb article. - `device.osint.vulnerabilities.kb_article_list.created_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901. - `device.osint.vulnerabilities.kb_article_list.created_time_dt` (string,null) The date the kb article was released by the vendor. - `device.osint.vulnerabilities.kb_article_list.install_state` (string,null) The install state of the kb article. - `device.osint.vulnerabilities.kb_article_list.install_state_id` (integer) KbArticleInstallStateId is an enum, and the following values are allowed. 0 - Unknown: The normalized install state is unknown. 1 - Installed: The item is installed. 2 - NotInstalled: The item is not installed. 3 - InstalledPendingReboot: The item is installed pending reboot operation. 99 - Other: The install state is not mapped. See the install_state attribute, which contains a data source specific value. - `device.osint.vulnerabilities.kb_article_list.is_superseded` (boolean,null) The kb article has been replaced by another. - `device.osint.vulnerabilities.kb_article_list.os` (object) The Operating System (OS) object describes characteristics of an OS, such as Linux or Windows. Defined by D3FEND d3f:OperatingSystem. - `device.osint.vulnerabilities.kb_article_list.product` (object) The Product object describes characteristics of a software product. - `device.osint.vulnerabilities.kb_article_list.severity` (string,null) The severity of the kb article. - `device.osint.vulnerabilities.kb_article_list.size` (integer,null) The size in bytes for the kb article. - `device.osint.vulnerabilities.kb_article_list.src_url` (string) Uniform Resource Locator (URL) string. For example: http://www.example.com/download/trouble.exe. - `device.osint.vulnerabilities.kb_article_list.title` (string,null) The title of the kb article. - `device.osint.vulnerabilities.kb_articles` (array,null) The KB article/s related to the entity. A KB Article contains metadata that describes the patch or an update. - `device.osint.vulnerabilities.last_seen_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901. - `device.osint.vulnerabilities.last_seen_time_dt` (string,null) The time when the vulnerability was most recently observed. - `device.osint.vulnerabilities.packages` (array,null) List of vulnerable packages as identified by the security product - `device.osint.vulnerabilities.packages.name` (string, required) The software package name. - `device.osint.vulnerabilities.packages.version` (string, required) The software package version. - `device.osint.vulnerabilities.packages.architecture` (string,null) Architecture is a shorthand name describing the type of computer hardware the packaged software is meant to run on. - `device.osint.vulnerabilities.packages.cpe_name` (string,null) The Common Platform Enumeration (CPE) name for the software package. - `device.osint.vulnerabilities.packages.epoch` (integer,null) The software package epoch. Epoch is a way to define weighted dependencies based on version numbers. - `device.osint.vulnerabilities.packages.hash` (object) The Fingerprint object provides detailed information about a digital fingerprint, which is a compact representation of data used to identify a longer piece of information, such as a public key or file content. It contains the algorithm and value of the fingerprint, enabling efficient and reliable identification of the associated data. - `device.osint.vulnerabilities.packages.license` (string,null) The software license applied to this package. - `device.osint.vulnerabilities.packages.purl` (string,null) A purl is a URL string used to identify and locate a software package in a mostly universal and uniform way across programming languages, package managers, packaging conventions, tools, APIs and databases. - `device.osint.vulnerabilities.packages.release` (string,null) Release is the number of times a version of the software has been packaged. - `device.osint.vulnerabilities.packages.type` (string,null) The type of software package, normalized to the caption of the type_id value. In the case of 'Other', it is defined by the source. - `device.osint.vulnerabilities.packages.type_id` (integer) PackageTypeId is an enum, and the following values are allowed. 0 - Unknown: The type is unknown. 1 - Application: An application software package. 2 - OperatingSystem: An operating system software package. 99 - Other: The type is not mapped. See the type attribute, which contains a data source specific value. - `device.osint.vulnerabilities.packages.vendor_name` (string,null) The name of the vendor who published the software package. - `device.osint.vulnerabilities.references` (array,null) A list of reference URLs with additional information about the vulnerability. - `device.osint.vulnerabilities.related_vulnerabilities` (array,null) List of vulnerabilities that are related to this vulnerability. - `device.osint.vulnerabilities.remediation` (object) The Remediation object describes the recommended remediation steps to address identified issue(s). - `device.osint.vulnerabilities.severity` (string,null) The vendor assigned severity of the vulnerability. - `device.osint.vulnerabilities.title` (string,null) A title or a brief phrase summarizing the discovered vulnerability. - `device.osint.vulnerabilities.vendor_name` (string,null) The name of the vendor that identified the vulnerability. - `device.osint.whois` (object) The resources of a WHOIS record for a given domain. This can include domain names, IP address blocks, autonomous system information, and/or contact and registration information for a domain. - `device.osint.whois.autonomous_system` (object) An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet. - `device.osint.whois.created_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901. - `device.osint.whois.created_time_dt` (string,null) When the domain was registered or WHOIS entry was created. - `device.osint.whois.dnssec_status` (string,null) The normalized value of dnssec_status_id. - `device.osint.whois.dnssec_status_id` (integer) WhoisDnssecStatusId is an enum, and the following values are allowed. 0 - Unknown: The disposition is unknown. 1 - Signed: The related domain enables the signing of DNS records using DNSSEC. 2 - Unsigned: The related domain does not enable the signing of DNS records using DNSSEC. 99 - Other: The DNSSEC status is not mapped. See the dnssec_status attribute, which contains a data source specific value. - `device.osint.whois.domain` (string,null) The name of the domain. - `device.osint.whois.domain_contacts` (array,null) An array of Domain Contact objects. - `device.osint.whois.domain_contacts.type_id` (integer, required) DomainContactTypeId is an enum, and the following values are allowed. 0 - Unknown: The type is unknown. 1 - Registrant: The contact information provided is for the domain registrant. 2 - Administrative: The contact information provided is for the domain administrator. 3 - Technical: The contact information provided is for the domain technical lead. 4 - Billing: The contact information provided is for the domain billing lead. 5 - Abuse: The contact information provided is for the domain abuse contact. 99 - Other: The type is not mapped. See the type attribute, which contains a data source specific value. - `device.osint.whois.domain_contacts.email_addr` (string) Email address. For example: john_doe@example.com. - `device.osint.whois.domain_contacts.location` (object) The Geo Location object describes a geographical location, usually associated with an IP address. Defined by D3FEND d3f:PhysicalLocation. - `device.osint.whois.domain_contacts.name` (string,null) The individual or organization name for the contact. - `device.osint.whois.domain_contacts.phone_number` (string,null) The number associated with the phone. - `device.osint.whois.domain_contacts.type` (string,null) The Domain Contact type, normalized to the caption of the type_id value. In the case of 'Other', it is defined by the source - `device.osint.whois.domain_contacts.uid` (string,null) The unique identifier of the contact information, typically provided in WHOIS information. - `device.osint.whois.email_addr` (string) Email address. For example: john_doe@example.com. - `device.osint.whois.last_seen_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901. - `device.osint.whois.last_seen_time_dt` (string,null) When the WHOIS record was last updated or seen at. - `device.osint.whois.name_servers` (array,null) A collection of name servers related to a domain registration or other record. - `device.osint.whois.phone_number` (string,null) The phone number for the registrar's abuse contact - `device.osint.whois.registrar` (string,null) The domain registrar. - `device.osint.whois.status` (string,null) The status of a domain and its ability to be transferred, e.g., clientTransferProhibited. - `device.osint.whois.subdomains` (array,null) An array of subdomain strings. Can be used to collect several subdomains such as those from Domain Generation Algorithms (DGAs). - `device.osint.whois.subnet` (string) The subnet represented in a CIDR notation, using the format network_address/prefix_length. The network_address can be in either IPv4 or IPv6 format. The prefix length indicates the number of bits used for the network portion, and the remaining bits are available for host addresses within that subnet. For example:192.168.1.0/242001:0db8:85a3:0000::/64 - `device.raw_data` (string,null) The raw event/finding data as received from the source. - `device.severity` (string,null) The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source. - `device.start_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901. - `device.start_time_dt` (string,null) The start time of a time period, or the time of the least recent event included in the aggregate event. - `device.status` (string,null) The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source. - `device.status_code` (string,null) The event status code, as reported by the event source.For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18. - `device.status_detail` (string,null) The status detail contains additional information about the event/finding outcome. - `device.status_id` (integer) StatusId is an enum, and the following values are allowed. 0 - Unknown: The status is unknown. 1 - Success 2 - Failure 99 - Other: The event status is not mapped. See the status attribute, which contains a data source specific value. - `device.time_dt` (string,null) The normalized event occurrence time or the finding creation time. - `device.timezone_offset` (integer,null) The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080. - `device.type_name` (string,null) The event/finding type name, as defined by the type_uid. - `device.unmapped` (object) An unordered collection of attributes. It defines a set of attributes available in all objects. It can be also used as a generic object to log objects that are not otherwise defined by the schema. ## Response 200 fields (application/json): - `device` (object, required) Device Inventory Info events report device inventory data that is either logged or proactively collected. For example, when collecting device information from a CMDB or running a network sweep of connected devices. - `messages` (object) - `messages.problems` (array,null) Warnings or issues that occurred during processing that did not prevent the request from returning, but may indicate a problem or issue with expected processing behavior. - `messages.problems.occurred_at` (string, required) The date and time the problem occurred. - `messages.problems.status` (integer, required) The HTTP status code of the problem. Matches the HTTP response code sent by the server. - `messages.problems.instance` (string, required) A URI reference that identifies the specific occurrence of the problem. It may or may not yield further information if dereferenced. - `messages.problems.message` (string, required) A short, display-friendly summary of the problem. - `messages.problems.type` (string) A URI reference that identifies the type of problem that occurred. When the URI scheme is HTTP(s), it may or may not be possible to deference the URL to a display-friendly description of the problem type. - `messages.problems.cause` (array,null) A list of the root cause(s) for this problem occurrence. Includes at minimum one root cause, and is otherwise an unordered list of causes. - `messages.problems.cause.type` (string, required) A URI reference that identifies the type of problem that occurred. When the URI scheme is HTTP(s), it may or may not be possible to deference the URL to a display-friendly description of the problem type. - `messages.problems.cause.message` (string, required) A short, display-friendly summary of the problem. - `messages.problems.cause.detail` (string,null) A display-friendly and more detailed explanation of the problem. It may offer additional contextual detail, but may also be just a generic description of the problem. - `messages.problems.cause.remediation` (string,null) A display-friendly explanation for how to remediate the problem. This field may be omitted in case there are multiple problems, each with its own remediation, or if no remediation is possible. - `messages.problems.cause.context` (object) - `messages.problems.cause.context.parameter` (object) - `messages.problems.cause.context.parameter.id` (string, required) If the location of the parameter is body, this value is always a JSON Pointer, otherwise it's the name of the parameter. - `messages.problems.cause.context.parameter.location` (string, required) Enum: "header", "path", "query", "body" - `messages.problems.cause.context.parameter.value` (any,null) The given value of the parameter. - `messages.problems.cause.context.resources` (array,null) - `messages.problems.cause.context.resources.type` (string, required) Enum: "account", "bridge", "credential", "integration_point", "integration", "member", "operation", "organization_webhook", "role", "sub_org", "token", "transform" - `messages.problems.cause.context.resources.id` (string, required) ID of the related resource. - `messages.problems.cause.context.resources.rel` (string, required) Enum: "affected", "cause" - `messages.problems.cause.context.raw_error` (string,null) If available this represents the underlying raw error, for example an error response from a Provider. - `messages.problems.cause.context.provider_details` (object,null) If available this represents the underlying details from the provider. May include the error message, status code, and other details. - `messages.problems.detail` (string,null) A display-friendly and more detailed explanation of the problem. It may offer additional contextual detail, but may also be just a generic description of the problem. - `messages.problems.remediation` (string,null) A display-friendly explanation for how to remediate the problem. This field may be omitted in case there are multiple problems, each with its own remediation, or if no remediation is possible. - `messages.problems.context` (object) - `meta` (object) - `meta.stats` (object) - `meta.stats.count` (object,null) A count of total response times. If present "\*" will be all items, or they can be faceted into specific categories. - `meta.api` (object) - `meta.api.response` (object) - `meta.api.response.primary` (object) - `meta.api.response.primary.endpoint` (string, required) The endpoint URL of the primary API request made to fulfill the response. - `meta.api.response.primary.response` (string, required) The response from the primary API request. - `meta.api.response.list` (object,null) All responses from backing API calls, indexed by endpoint URL. - `meta.mapping` (object) - `meta.mapping.chains` (object) The list of mapping chains applied, indexed by operation ID. Each entry contains an array of mapping IDs.