- Print
- DarkLight
Article summary
Did you find this summary helpful?
Thank you for your feedback
Caption | Name | Requirement | Type | Description |
---|---|---|---|---|
End Time | active | recommended | :ref:`boolean_t <boolean_t>` | | Derived from OCSF Device.end_time. Device.end_time: The end time of when a particular state of the user was valid. Using the ``start_time`` and ``end_time`` together bound the time when a particular user state was valid. If there is no ``end_time`` it tells the analyst that this is the current state of the user as DataBee understands it. There will ever only be a single user for which the ``end_time`` is ``null``. |
Created Time | created_time | optional | :ref:`timestamp_t <timestamp_t>` | | Derived from OCSF Device.created_time. Device.created_time: The time when the device was known to have been created. |
ID | device_id | required | :ref:`integer_t <integer_t>` | | Derived from OCSF Device.id. Device.id: The unique identifier used by DataBee for a specific device. This will be logged as ``device_id`` in activity tables to link to a particular device in this table. This field should not be mapped manually as the DataBee product populates this field itself. |
Domain | domain | optional | :ref:`string_t <string_t>` | | Derived from OCSF Device.domain. Device.domain: The network domain where the device resides. For example: ``work.example.com``. |
End Time | end_time | recommended | :ref:`timestamp_t <timestamp_t>` | | Derived from OCSF Device.end_time. Device.end_time: The end time of when a particular state of the user was valid. Using the ``start_time`` and ``end_time`` together bound the time when a particular user state was valid. If there is no ``end_time`` it tells the analyst that this is the current state of the user as DataBee understands it. There will ever only be a single user for which the ``end_time`` is ``null``. |
Environment | environment | optional | :ref:`string_t <string_t>` | | Derived from OCSF Device.environment. Device.environment: The operational environment in which the device exists. For example: Production, Development, QA |
First Seen | first_seen_time | optional | :ref:`timestamp_t <timestamp_t>` | | Derived from OCSF Device.first_seen_time. Device.first_seen_time: The initial discovery time of the device. |
Groups Name | group_names | optional | :ref:`string_t Array <string_t>` | | Derived from OCSF Device.groups.name. Device.groups: The group names to which the device belongs. For example: ``['Windows Laptops', 'Engineering']`` Group.name: The group name. |
Hostname | hostname | recommended | :ref:`string_t <string_t>` | | Derived from OCSF Device.hostname. Device.hostname: The device hostname. |
Hardware Info BIOS Manufacturer | hw_info_bios_manufacturer | optional | :ref:`string_t <string_t>` | | Derived from OCSF Device.hw_info.bios_manufacturer. Device.hw_info: The endpoint hardware information. DeviceHwInfo.bios_manufacturer: The BIOS manufacturer. For example: ``LENOVO``. |
Hardware Info Serial Number | hw_info_serial_number | optional | :ref:`string_t <string_t>` | | Derived from OCSF Device.hw_info.serial_number. Device.hw_info: The endpoint hardware information. DeviceHwInfo.serial_number: The device manufacturer serial number. |
Hypervisor | hypervisor | optional | :ref:`string_t <string_t>` | | Derived from OCSF Device.hypervisor. Device.hypervisor: The name of the hypervisor running on the device. For example, ``Xen``, ``VMware``, ``Hyper-V``, ``VirtualBox``, etc. |
Image Name | image_name | optional | :ref:`string_t <string_t>` | | Derived from OCSF Device.image.name. Device.image: The image used as a template to run the virtual machine. Image.name: The image name. For example: ``elixir``. |
IMEI | imei | optional | :ref:`string_t <string_t>` | | Derived from OCSF Device.imei. Device.imei: The International Mobile Station Equipment Identifier that is associated with the device. For example: ``123456789012345`` |
Instance ID | instance_uid | recommended | :ref:`string_t <string_t>` | | Derived from OCSF Device.instance_uid. Device.instance_uid: The unique identifier of a VM instance. For example: ``56 4d ef 2d 3f d4 14 e2-2e 04 c5 34 3a ec ee 65`` for a VMWare UUIDE |
IP Address | ip | recommended | :ref:`string_t <string_t>` | | Derived from OCSF Device.ip. Device.ip: The device IP address, in either IPv4 or IPv6 format. |
Compliant Device | is_compliant | optional | :ref:`boolean_t <boolean_t>` | | Derived from OCSF Device.is_compliant. Device.is_compliant: The event occurred on a compliant device. |
Managed Device | is_managed | optional | :ref:`boolean_t <boolean_t>` | | Derived from OCSF Device.is_managed. Device.is_managed: The event occurred on a managed device. |
Personal Device | is_personal | optional | :ref:`boolean_t <boolean_t>` | | Derived from OCSF Device.is_personal. Device.is_personal: The event occurred on a personal device. |
Trusted Device | is_trusted | optional | :ref:`boolean_t <boolean_t>` | | Derived from OCSF Device.is_trusted. Device.is_trusted: The event occurred on a trusted device. |
Last Seen | last_seen_time | optional | :ref:`timestamp_t <timestamp_t>` | | Derived from OCSF Device.last_seen_time. Device.last_seen_time: The most recent discovery time of the device. |
Geo Location City | location_city | optional | :ref:`string_t <string_t>` | | Derived from OCSF Device.location.city. Device.location: The geographical location of the device. Location.city: The name of the city. For example: san diego |
Geo Location Country | location_country | optional | :ref:`string_t <string_t>` | | Derived from OCSF Device.location.country. Device.location: The geographical location of the device. Location.country: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see `ISO 3166-1 alpha-2 codes <https://www.iso.org/obp/ui/#iso:pub:PUB500001:en>`_. |
MAC Address | mac | optional | :ref:`string_t <string_t>` | | Derived from OCSF Device.mac. Device.mac: The Media Access Control (MAC) address of the endpoint. |
Modified Time | modified_time | optional | :ref:`timestamp_t <timestamp_t>` | | Derived from OCSF Device.modified_time. Device.modified_time: The time when the device was last known to have been modified. |
Network Interfaces Hostname | network_interfaces_hostnames | optional | :ref:`string_t Array <string_t>` | | Derived from OCSF Device.network_interfaces.hostname. Device.network_interfaces: The network interfaces that are associated with the device, one for each unique MAC address/IP address/hostname/name combination. | **Note:** The first element of the array is the network information that pertains to the event. | NetworkInterface.hostname: The hostname associated with the network interface. |
Network Interfaces IP Address | network_interfaces_ips | optional | :ref:`string_t Array <string_t>` | | Derived from OCSF Device.network_interfaces.ip. Device.network_interfaces: The network interfaces that are associated with the device, one for each unique MAC address/IP address/hostname/name combination. | **Note:** The first element of the array is the network information that pertains to the event. | NetworkInterface.ip: The IP address associated with the network interface. |
Network Interfaces MAC Address | network_interfaces_macs | optional | :ref:`string_t Array <string_t>` | | Derived from OCSF Device.network_interfaces.mac. Device.network_interfaces: The network interfaces that are associated with the device, one for each unique MAC address/IP address/hostname/name combination. | **Note:** The first element of the array is the network information that pertains to the event. | NetworkInterface.mac: The MAC address of the network interface. |
Organization Name | org_name | optional | :ref:`string_t <string_t>` | | Derived from OCSF Device.org.name. Device.org: Organization and org unit related to the device. Organization.name: The name of the organization. For example, Widget, Inc. |
Organization Org Unit Name | org_ou_name | optional | :ref:`string_t <string_t>` | | Derived from OCSF Device.org.ou_name. Device.org: Organization and org unit related to the device. Organization.ou_name: The name of the organizational unit, within an organization. For example, Finance, IT, R&D |
OS Name | os_name | optional | :ref:`string_t <string_t>` | | Derived from OCSF Device.os.name. Device.os: The endpoint operating system. Os.name: The operating system name. |
OS Type | os_type | optional | :ref:`string_t <string_t>` | | Derived from OCSF Device.os.type. Device.os: The endpoint operating system. Os.type: The type of the operating system. |
OS Version | os_version | optional | :ref:`string_t <string_t>` | | Derived from OCSF Device.os.version. Device.os: The endpoint operating system. Os.version: The version of the OS running on the device that originated the event. For example: 'Windows 10', 'OS X 10.7', or 'iOS 9'. |
Owner Email Address | owner_email_addr | optional | :ref:`string_t <string_t>` | | Derived from OCSF Device.owner.email_addr. Device.owner: The primary owner of a device. User.email_addr: The user's primary email address. For example: ``noone@nowhere.ru`` |
Owner Employee ID | owner_employee_uid | optional | :ref:`string_t <string_t>` | | Derived from OCSF Device.owner.employee_uid. Device.owner: The primary owner of a device. User.employee_uid: The employee identifier assigned to the user by the organization. |
Owner Full Name | owner_full_name | optional | :ref:`string_t <string_t>` | | Derived from OCSF Device.owner.full_name. Device.owner: The primary owner of a device. User.full_name: The full name of the person, as per the LDAP Common Name attribute (cn). |
Owner Name | owner_name | optional | :ref:`string_t <string_t>` | | Derived from OCSF Device.owner.name. Device.owner: The primary owner of a device. User.name: The username. For example, ``janedoe1``. |
Owner ID | owner_user_id | optional | :ref:`integer_t <integer_t>` | | Derived from OCSF Device.owner.id. Device.owner: The primary owner of a device. User.id: The unique identifier used by DataBee for a specific user. This will be logged as ``user_id`` in activity tables to link to a particular user in this table. This field should not be mapped manually as the DataBee product populates this field itself. |
Record Created At | record_created_at | required | :ref:`timestamp_t <timestamp_t>` | | CDPs generated timestamp when record was created. |
Record Updated At | record_updated_at | required | :ref:`timestamp_t <timestamp_t>` | | CDPs generated timestamp when record was last updated. |
Region | region | recommended | :ref:`string_t <string_t>` | | Derived from OCSF Device.region. Device.region: The region where the virtual machine is located. For example, an AWS Region. |
Selected Owner Selected On | selected_on | optional | :ref:`timestamp_t <timestamp_t>` | | Derived from OCSF Device.selected_owner.selected_on. Device.selected_owner: The owner selected by a DataBee user to assign to a device. Keys in object are user_id an integer, user_email a string and selected_on a datetime. SelectedOwner.selected_on: The time when the owner selection was made. |
Selected Owner User Email | selected_owner_user_email | optional | :ref:`string_t <string_t>` | | Derived from OCSF Device.selected_owner.user_email. Device.selected_owner: The owner selected by a DataBee user to assign to a device. Keys in object are user_id an integer, user_email a string and selected_on a datetime. SelectedOwner.user_email: The email address of the DataBee user that made the selection. |
Selected Owner User ID | selected_owner_user_id | optional | :ref:`integer_t <integer_t>` | | Derived from OCSF Device.selected_owner.user_id. Device.selected_owner: The owner selected by a DataBee user to assign to a device. Keys in object are user_id an integer, user_email a string and selected_on a datetime. SelectedOwner.user_id: This is the id that DataBee uses to link this to a specific user. |
Backtrace | sources | recommended | :ref:`string_t Array <string_t>` | | Derived from OCSF Device.backtrace. Device.backtrace: This object is a key value set that relates each field in the user to the earliest raw event that gave DataBee that particular value in the correlation. For example, ``{'email_addr': 'email_activity.key=123456'}`` |
Start Time | start_time | required | :ref:`timestamp_t <timestamp_t>` | | Derived from OCSF Device.start_time. Device.start_time: The start time when a particular state of the user became valid |
Type | type | optional | :ref:`string_t <string_t>` | | Derived from OCSF Device.type. Device.type: The device type. For example: ``unknown``, ``server``, ``desktop``, ``laptop``, ``tablet``, ``mobile``, ``virtual``, ``browser``, or ``other``. |
VPC UID | vpc_uid | optional | :ref:`string_t <string_t>` | | Derived from OCSF Device.vpc_uid. Device.vpc_uid: The unique identifier of the Virtual Private Cloud (VPC). For example: Often the VPC ARN similar to: ``arn:aws:ec2:us-east-1:123456789012:vpc/vpc-1234567890abcdef0`` |
Was this article helpful?