Device Security
Cortex XDR Attribute Reference
Table of Contents
Expand All
|
Collapse All
Device Security Docs
Cortex XDR Attribute Reference
This reference lists the attributes that Device Security collects from Cortex XDR,
their names as stored in Device Security, and the Device Security fields they map to.
When Device Security integrates with Cortex XDR, it imports endpoint
and host inventory data to enrich the device inventory with telemetry from the Cortex
platform. The attributes in this reference cover endpoints, host inventory records,
application inventory, interfaces, knowledge base entries, and vulnerability (CVE)
findings.
The third-party attribute name in Device Security refers to the attribute name
as it appears in the Assets Inventory table and in Query Engine. This follows the format
of third-party-name.attribute-name.
When viewing the attribute name in the Assets Inventory table column selector or on a
Device Details page, where the third-party name can be found as a header for the
attributes section, then the third-party name is removed from the attribute name.
For example, micrsoft_defender_xdr.macAddress would appear in the
Query Builder and in the Assets Inventory table, but under Device DetailsAttributesIntegration Specific AttributesMicrosoft Defender, the attribute would appear as macAddress.
Endpoint Attributes
Device Security collects endpoint attributes from the Cortex XDR public API endpoints.
Each record describes a managed endpoint agent deployment.
The following table lists each Cortex XDR attribute, its name as stored in
Device Security, and the Device Security field it maps to (if applicable).
Cortex XDR Attribute | Device Security Attribute Name | Device Security Common Attribute* | Description |
|---|---|---|---|
"Cortex XDR" | — | Endpoint Protection Vendor | Endpoint protection vendor |
tags.server_tags | cortex_xdr.tags.server_tags | — | Server tags |
mac_address | cortex_xdr.mac_address | MAC; id | MAC address |
tags.endpoint_tags | cortex_xdr.tags.endpoint_tags | — | Endpoint tags |
endpoint_status | cortex_xdr.endpoint_status | Endpoint Protection | Endpoint protection status |
os_version | cortex_xdr.os_version | OS Version | Operating system version |
public_ip | cortex_xdr.public_ip | public_ip_address | Public IP address |
users | cortex_xdr.users | AD Username | Active Directory username |
domain | cortex_xdr.domain | AD Domain | Active Directory domain |
first_seen | cortex_xdr.first_seen | First Seen | Date when endpoint was first seen |
last_seen | cortex_xdr.last_seen | Last Activity | Date when endpoint was last seen |
active_directory | cortex_xdr.active_directory | AD Join Status | Active Directory join status |
operating_system | cortex_xdr.operating_system | raw_os | Operating system |
content_status | cortex_xdr.content_status | — | Content status |
tag_list | cortex_xdr.tags | — | Tag list |
assigned_extensions_policy | cortex_xdr.assigned_extensions_policy | — | Assigned extensions policy |
assigned_prevention_policy | cortex_xdr.assigned_prevention_policy | — | Assigned prevention policy |
last_content_update_time | cortex_xdr.last_content_update_time | — | Time of last content update |
content_release_timestamp | cortex_xdr.content_release_timestamp | — | Timestamp of content release |
scan_status | cortex_xdr.scan_status | — | Scan status |
operational_status | cortex_xdr.operational_status | — | Operational status |
group_name | cortex_xdr.group_name | — | Group name |
isolated_date | cortex_xdr.isolated_date | — | Date when endpoint was isolated |
is_isolated | cortex_xdr.is_isolated | — | Isolation status |
endpoint_version | cortex_xdr.endpoint_version | — | Endpoint version |
content_version | cortex_xdr.content_version | — | Content version |
ipv6 | cortex_xdr.ipv6 | — | IPv6 address |
ip | cortex_xdr.ip | ipv4_address | IP address |
endpoint_name | cortex_xdr.endpoint_name | Hostname | Device hostname |
endpoint_id | cortex_xdr.endpoint_id | — | Endpoint ID |
Host Inventory Attributes
Device Security collects host inventory attributes via Cortex XDR XQL host inventory
queries. Each record provides detailed hardware and software inventory for a managed host.
The following table lists each Cortex XDR attribute, its name as stored in
Device Security, and the Device Security field it maps to (if applicable).
Cortex XDR Attribute | Device Security Attribute Name | Device Security Common Attribute* | Description |
|---|---|---|---|
system_type | cortex_xdr.system_type | — | System type |
swap_memory | cortex_xdr.swap_memory | — | Swap memory |
serial_number | cortex_xdr.serial_number | Serial Number | Device serial number |
report_timestamp | cortex_xdr.report_timestamp | — | Report timestamp |
product_type | cortex_xdr.product_type | — | Product type |
processor_architecture | cortex_xdr.processor_architecture | — | Processor architecture |
platform | cortex_xdr.platform | — | Platform |
physical_memory | cortex_xdr.physical_memory | — | Physical memory |
model | cortex_xdr.model | raw_model | Model |
manufacturer | cortex_xdr.manufacturer | Vendor | Device vendor |
minor_version | cortex_xdr.minor_version | — | Minor version |
major_version | cortex_xdr.major_version | OS Version | Operating system version |
ip_address | cortex_xdr.ip_address | ipv4_address | IP address |
hardware_uuid | cortex_xdr.hardware_uuid | — | Hardware UUID |
endpoint_type | cortex_xdr.endpoint_type | — | Endpoint type |
endpoint_id | cortex_xdr.endpoint_id | — | Endpoint ID |
endpoint_alias | cortex_xdr.endpoint_alias | — | Endpoint alias |
csdversion | cortex_xdr.csdversion | — | CSD version |
chassis_sku_number | cortex_xdr.chassis_sku_number | — | Chassis SKU number |
build_number | cortex_xdr.build_number | OS Build Number | Operating system build number |
mac_address | cortex_xdr.mac_address | MAC; id | MAC address |
endpoint_domain | cortex_xdr.endpoint_domain | AD Domain | Endpoint domain |
os_caption | cortex_xdr.os_caption | raw_os | OS caption |
endpoint_name | — | Hostname | Device hostname |
Application Inventory Attributes
Device Security collects application inventory attributes via Cortex XDR XQL queries.
Each record describes a software application installed on a managed endpoint.
The following table lists each Cortex XDR attribute, its name as stored in
Device Security, and the Device Security field it maps to (if applicable).
Cortex XDR Attribute | Device Security Attribute Name | Device Security Common Attribute* | Description |
|---|---|---|---|
mac_address | cortex_xdr.mac_address | MAC; id | MAC address |
ip_address | cortex_xdr.ip_address | ipv4_address | IP address |
endpoint_type | cortex_xdr.endpoint_type | — | Endpoint type |
platform | cortex_xdr.platform | — | Platform |
endpoint_id | cortex_xdr.endpoint_id | — | Endpoint ID |
endpoint_domain | cortex_xdr.endpoint_domain | — | Endpoint domain |
endpoint_alias | cortex_xdr.endpoint_alias | — | Endpoint alias |
installed_software | — | third_party_learned_installed_software | Third party learned installed software |
endpoint_name | — | Hostname | Device hostname |
Host Inventory Endpoint Attributes
Device Security collects endpoint-level inventory attributes via Cortex XDR XQL host
inventory endpoint queries. Each record provides endpoint configuration and identity
details from the host inventory.
The following table lists each Cortex XDR attribute, its name as stored in
Device Security, and the Device Security field it maps to (if applicable).
Cortex XDR Attribute | Device Security Attribute Name | Device Security Common Attribute* | Description |
|---|---|---|---|
severity_score | cortex_xdr.severity_score | — | Severity score |
severity | cortex_xdr.severity | — | Severity |
os_type | cortex_xdr.os_type | os_type | OS type |
operating_system | cortex_xdr.operating_system | raw_os | Operating system |
mac_address | cortex_xdr.mac_address | MAC; id | MAC address |
last_report_time | cortex_xdr.last_report_time | — | Last report time |
last_calculation_time | cortex_xdr.last_calculation_time | — | Last calculation time |
kernel_version | cortex_xdr.kernel_version | latest_firmware_version | Latest firmware version |
ip_address | cortex_xdr.ip_address | ipv4_address | IP address |
group_names | cortex_xdr.group_names | — | Group names |
endpoint_type | cortex_xdr.endpoint_type | — | Endpoint type |
endpoint_status | cortex_xdr.endpoint_status | — | Endpoint status |
architecture | cortex_xdr.architecture | — | Architecture |
endpoint_name | cortex_xdr.endpoint_name | Hostname | Device hostname |
endpoint_id | cortex_xdr.endpoint_id | — | Endpoint ID |
Knowledge Base (KB) Attributes
Device Security collects installed knowledge base (patch/hotfix) attributes via
Cortex XDR XQL queries. Each record describes an installed Windows KB patch on a
managed endpoint.
The following table lists each Cortex XDR attribute, its name as stored in
Device Security, and the Device Security field it maps to (if applicable).
Cortex XDR Attribute | Device Security Attribute Name | Device Security Common Attribute* | Description |
|---|---|---|---|
kbs | — | OS KB Articles | OS knowledge base articles |
mac_address | cortex_xdr.mac_address | id | MAC address |
ip_address | cortex_xdr.ip_address | ipv4_address | IP address |
endpoint_type | cortex_xdr.endpoint_type | — | Endpoint type |
platform | cortex_xdr.platform | — | Platform |
endpoint_id | cortex_xdr.endpoint_id | — | Endpoint ID |
endpoint_domain | cortex_xdr.endpoint_domain | — | Endpoint domain |
endpoint_alias | cortex_xdr.endpoint_alias | — | Endpoint alias |
endpoint_name | — | Hostname | Device hostname |
Endpoint Interface Attributes
Device Security collects network interface attributes from the Cortex XDR public API
endpoint interface data. Each record describes a network interface on a managed endpoint.
The following table lists each Cortex XDR attribute, its name as stored in
Device Security, and the Device Security field it maps to (if applicable).
Cortex XDR Attribute | Device Security Attribute Name | Device Security Common Attribute* | Description |
|---|---|---|---|
mac_address, ip | — | third_party_learned_network_interfaces | Third party learned network interfaces |
ip | cortex_xdr.ip | ipv4_address | IP address |
mac_address | cortex_xdr.mac_address | id, MAC | MAC address |
Host Inventory Interface Attributes
Device Security collects network interface attributes via Cortex XDR XQL host
inventory interface queries. Each record describes a network interface from the host
inventory data.
The following table lists each Cortex XDR attribute, its name as stored in
Device Security, and the Device Security field it maps to (if applicable).
Cortex XDR Attribute | Device Security Attribute Name | Device Security Common Attribute* | Description |
|---|---|---|---|
mac_address, ip_address | — | third_party_learned_network_interfaces | Third party learned network interfaces |
mac_address | cortex_xdr.mac_address | id, MAC | MAC address |
ip_address | cortex_xdr.ip_address | ipv4_address | IP address |
Vulnerability (CVE) Attributes
Device Security collects CVE vulnerability attributes via Cortex XDR XQL host inventory
CVE queries. Each record describes a CVE vulnerability identified on a managed endpoint.
The following table lists each Cortex XDR attribute, its name as stored in
Device Security, and the Device Security field it maps to (if applicable).
Cortex XDR Attribute | Device Security Attribute Name | Device Security Common Attribute* | Description |
|---|---|---|---|
ip_address | cortex_xdr.ip_address | ipv4_address | IP address |
cves | — | cve | Common vulnerabilities and exposures |
mac_address | cortex_xdr.mac_address | id | MAC address |
* Only some attributes map to a Device Security Common Attribute.