Discover

Absolute Insights のインターフェースは英語版のみご用意しています。そのため、Absolute Insights に関連するすべてのヘルプトピックは英語で記載されています。

Use the Discover area to search and filter your data using the Available fields for your account.

Discover is filtered to show the data collected from your Active devices over a specified time range; Inactive and Disabled devices are excluded. Empty fields are also excluded from Discover. Not all Available fields are available for every platform.

For all data fields included on the Executive Summary dashboard, the default time range is set to 7 days, while all other data fields are set to 30 days. You can select a different time range using Kibana's time range filter. The total amount of historical data that is available depends on your data retention period.

You can work with the Discover area in a number of ways, including:

Changing the time range
Searching for and filtering the data
Adding or removing fields as columns
Exporting documents to a CSV file

Document types

There are different document types available in Insights. Each document has associated Available fields to use in search and filter. The document type is specified in the docType field. Some document types also have a subtype, which is specified in the docSubType field. The following document types are available in Insights:

Hardware
- docType: hdc
- docSubType: general
Anti-Malware
- docType: avp
- docSubType: -
Application Resilience
- docType: rar
- docSubType: -
Application Usage
- docType: aur
- docSubStype: app-instance and exe-instance
Custom Data Collection
- docType: cdc
- docSubType: -
Device usage
- docType: dur
- docSubType: event and usage
Endpoint Data Discovery
- docType: edd
- docSubType: edd-match-summary and edd-file-scan
Events Changes
- docType: evtd
- docSubType: -
Full-Disk Encryption
- docType: esp
- docSubType: -
Installed Applications
- docType: sng
- docSubType: app-list and app-info
Web usage
- docType: wma
- docSubType: -

Hardware

Hardware data points デバイスの Secure Endpoint Agent によってデバイス上で検出され、Absolute モニタリングセンターに通信される離散的な情報の単位。 are automatically collected on your devices by the Secure Endpoint Agent. For Chromebook devices, data points are collected using the Chromebook extension. The data points appear in Kibana as Available fields.

For more information, see:

Prerequisites

To populate the Available fields in Insights, devices must be actively calling in to the Absolute Monitoring Center. Other prerequisites are listed in the individual categories.

Document type

Documents containing hardware fields have the following document types:

docType: hdc
docSubType: general

Available fields

The Available fields for Hardware are grouped by category.

The following Hardware fields are available:

Hardware - General

The following general device fields are available:

General hardware Available fields
Field	Data type	Description
_id	string	The unique identifier of the document Example: abc1ynoBFvyEXmgZVq23
_index	string	The index that the document belongs to Example: abs_5b9a578b-592c-49de-812e-bac78f1234e
_score	number	The relevance of a document to the Elasticsearch query Not populated at this time
_type	string	The document's mapping type This field is always _doc
accountUid	string	The unique ID associated with this Absolute account Example: be8eb674-xxxx-11d4-8835-00c04f72c2df
agent.agentVersion	string	The version number of the Secure Endpoint Agent installed on the device Example: 8.0.978.0
agent.persistentAgentVersion	string	The version number of the Absolute Persistence software embedded in the firmware of the Windows device Example: 957
agentStatus	string	The operating condition of the Secure Endpoint Agent Possible values: active: the agent has connected to the Monitoring Center. inactive: the agent has started its first connection to the Absolute Monitoring Center and agent activation is in progress and when activation is completed, the status is updated to Active disabled: the agent is either flagged for removal or removed from the device
ctes.active	boolean	Indicates whether the component manager コンポーネントマネージャー (CTES とも呼ばれる) はコアエージェントに加えてインストールされ、デバイスの操作の開始やデバイスデータの収集を行うエージェントコンポーネントを管理します。ほとんどのエージェントコンポーネントは、ハードウェアポリシーやインストール済みアプリケーションポリシーなどのポリシーによって制御されます。コンポーネントマネージャーは通常、Absolute モニタリングセンターに少なくとも 15 分ごとに接続し、デバイスのデータを送信して指示を受け取ります。 is enabled on the device true: the component manager is enabled false: the component manager is disabled
ctes.ctesVersion	string	The version number of the component manager installed on the device Example: 1.0.0.2612
ctes.lastDataReceivedUTC	date	The date and time when data was last received from the component manager Example: Sep 7, 2021 @ 12:35:23.097
ctes.lastUpdatedUTC	date	The date and time when the component manager was last updated on the device Example: Sep 7, 2021 @ 12:35:23.097
ctes.status	string	The status of the component manager installed on the Windows device Example: OK
ctes.statusCode	string	The status code for the status of the component manager installed on the Windows device Example: 0
deviceGroupNames	string	A comma separated list of the device groups assigned to the device Example: Encrypted Devices, Off-Domain
deviceName	string	The name assigned to the device Example: LPTP_TJordan
deviceSn	string	The serial number of the device Example: GHIJSQ2
deviceUid	string	The unique identifier of the device This isn't the same as Identifier in the console Example: 1234a1bc-7654-4734-de7f-d11ce59095b1
docType and docSubType	string	The type of document aur: Application Usage app-instance exe-instance avp: Anti-Malware cdc: Custom Data collection dur: Device Usage edd: Data Discovery edd-file-scan edd-match-summary esp: Full-Disk Encryption evtd: Event Changes hdc: Hardware general rar: Application Resilience sng: Installed Applications app-info app-list wma: Web Usage
eventTimeStampUtc	date	The date and time when the event occurred Example: Sep 8, 2021 @ 08:13:17.724
hardware.esn	string	The unique ESN (Absolute Identifier) assigned to the agent installed on the device Example: 1L0XXXXB2JAA3KSB0006
hardware.lastUpdatedUtc	date	The date and time when the device's Hardware policy was last activated or updated on the device Example: Aug 24, 2021 @ 05:46:46.903
hardware.localIp	ip	Last known local IP address of the device Example: 172.12.23.34
network.domainOrWorkgroup	string	The name of the Windows domain to which the device belongs Example: WORKGROUP
publicIp	IP address field	Last known public IP address of the device Example: 172.45.67.89
serverCreatedUtc	date	The date and time when the document was created Example: Sep 8, 2021 @ 08:08:44.304
startup.firstCallUtc	date	The date and time when the agent initially connected to the Absolute Monitoring Center Example: Jun 23, 2020 @ 13:24:12.137
startup.lastBootUtc	date	The date and time when the operating system was last restarted Example: Aug 25, 2021 @ 12:45:59.500
startup.lastConnectedUtc	date	The date and time when the device last connected to the Absolute Monitoring Center Example: Sep 8, 2021 @ 08:00:02.893
stolen	Boolean	Indicates whether the device was reported as stolen true: the device has been reported stolen false: the device hasn't been reported stolen or has been reported found
timeZone	string	The time zone represented when daylight savings time is in effect Example: Pacific Daylight Time

Hardware - Anti-Malware

Anti-Malware provides up-to-date information about the anti-malware ウィルス、スパイウェア、その他の悪意あるソフトウェアプログラムを含むマルウェアからデバイスを守るソフトウェアプログラム。 applications installed and detected on your Windows and Mac devices.

For more information, see:

Prerequisites

The device is protected by one of the detected anti-malware products

Available fields

The following Anti-Malware fields are available:

Anti-Malware Available fields
Field	Data type	Description
antiVirusProtect.app.categories	string	The category of the detected anti-malware application Example: Security, Endpoint Protection
antiVirusProtect.app.major	number	The major version of the detected anti-malware application Example: 4
antiVirusProtect.app.minor	number	The minor version of the detected anti-malware application Example: 18
antiVirusProtect.app.name	string	The name of the detected anti-malware application Example: Windows Defender
antiVirusProtect.app.version	string	The version number of the detected anti-malware application Example: 4.18.2104.10 WinBuild.160101.0800
antiVirusProtect.definition	string	The version number of the detected anti-malware definition アンチマルウェアベンダーによってリリースされる、新しく特定された脅威からデバイスを保護するためのソフトウェアアップデート。定義は一般的に毎日リリースされます。 Example: 1.349.3310.0
antiVirusProtect.definitionDateUtc	date	The date and time when the anti-malware definition was last updated on the device Example: Sep 8, 2021 @ 01:37:35.000
antiVirusProtect.lastUpdatedUtc	date	The date and time when the anti-malware information was detected on the device Example: Sep 8, 2021 @ 05:59:39.140

Hardware - Batteries

The following battery fields are available:

Battery Available fields
Field	Data type	Description
hardware.batteries.capacity	number	The capacity (in milliwatt-hours) of the battery Example: 1,000
hardware.batteries.estimatedChargeRemaining	number	The estimated percentage of the full charge that remains Example: 99
hardware.batteries.estimatedRunTime	number	The amount of time (in minutes) it will take to deplete the remaining battery using the present load conditions Returns 71,582,788 when the device is hooked to external power and the battery is not being depleted Example: 45
hardware.batteries.expectedLife	number	The total expected life (in minutes) of the fully charged battery Example: 10,000
hardware.batteries.maxRechargeTime	number	The maximum time (in minutes) to fully charge the battery Example: 240
hardware.batteries.name	string	The name of the battery Example: InternalBattery-0

Hardware - BIOS

The following BIOS fields are available:

BIOS Available fields
Field	Data type	Description
hardware.bios.asset	string	The Asset Tag of the device, as reported in the BIOS Example: No Asset Tag
hardware.bios.language	string	The name of the BIOS language Example: enUS
hardware.bios.make	string	The manufacturer of the BIOS Example: Dell Inc.
hardware.bios.releaseDateUtc	date	The date and time when the Windows BIOS was released Example: Oct 20, 2020 @ 17:00:00.000
hardware.bios.serialNumber	string	The serial number assigned to the BIOS Example: 5CG6162G6Z
hardware.bios.swVerMajor	number	The major version number of the BIOS software Example: 3
hardware.bios.swVerMinor	number	The minor version number of the BIOS software Example: 1
hardware.bios.swVersion	string	The version number of the BIOS software, as reported by the System Management BIOS (SMBIOS) Example: 3.1
hardware.bios.version	string	The version of the BIOS, as reported by the SMBIOS Example: DELL - 1072009 1.16.0
hardware.bios.versionDate	string	The manufacturer of the BIOS + The version of the BIOS, as reported by the SMBIOS + The release date of the Windows BIOS, in <`dd/mm/yyyy`> format Example: Dell Inc. 1.16.0, 10/21/2020
scfld_has_more_than_1_hardware_bios	Boolean	Uses a script to indicate whether the device has more than one hardware BIOS true: the device contains more than one hardware BIOS false: the device doesn't contain more than one hardware BIOS
scfld_has_no_hardware_bios	Boolean	Uses a script to indicates whether the device has no hardware BIOS true: the device contains no hardware BIOS false: the device contains a hardware BIOS

Hardware - Chromebook

In addition to the hardware data points collected for Chromebooks, Absolute collects additional Chromebook data points from the Google Admin console.

For more information, see:

Working with Chromebooks

For more information, see Working with Chromebooks in the Secure Endpoint Console Help.

Available fields

The following Chromebook fields are available:

Chromebook Available fields
Field	Data type	Description
chromebook.annotatedAssetId	string	The asset identifier populated by the Google Administrator Maps to the Asset ID field in the Google Admin console Example: CHR_TJordan
chromebook.annotatedLocation	string	The address or location of the device Maps to the Location field in the Google Admin console Example: Vancouver BC
chromebook.annotatedUser	string	Initially populated with the user who first enrolled the device but the Google Administrator can edit this field Maps to the User field in the Google Admin console Example: [email protected]
chromebook.autoUpdateExpiration	date	The date when the Chromebook device will no longer receive the automatic Chromebook updates that enhance both the device and its software Maps to the Auto-update expiration field in the Google Admin console Example: Jun 1, 2026 @ 00:00:00.000
chromebook.bootMode	string	The boot mode of the Chromebook Maps to the Boot mode field in the Google Admin console Possible values are: Verified: the device is running a valid version of the Chrome OS operating system. Dev: the device is running in developer mode, which gives device users access to a "root" shell. Google can't verify the operating system in this mode. For more information, refer to the Chromebook developer documentation
chromebook.deviceId	string	The enterprise device identifier that uniquely identifies the Chromebook Maps to the Device ID field in the Google Admin console Example: 1a23456b-cd94-4ef7-8336-78708104ab89
chromebook.extension	string	Shows the status of the Chromebook extension on the device Possible values are: PENDING: your Google account has been added to the Secure Endpoint Console and the devices organizational unit (OU) has been selected but the extension hasn't deployed to the device yet INSTALLED: your Google account has been added to the Secure Endpoint Console and an authorized user has logged in to the Chromebook INACTIVE: the device has been unenrolled from the Secure Endpoint Console
chromebook.lastDeviceGoogleSync	date	The date and time when the Google account last synced with the Absolute Monitoring Center Example: Sep 6, 2021 @ 22:29:42.580
chromebook.lastGoogleSyncTime	date	The date and time when the device last synced with the Absolute Monitoring Center Example: Sep 7, 2021 @ 04:00:32.815
chromebook.notes	string	Special information about the device Maps to the Notes field in the Google Admin console Example: RM456
chromebook.organizationalUnit	string	The full path of the OU that the Chromebook belongs to Maps to the Organizational unit field in the Google Admin console Example: SD123
chromebook.platformVersion	string	Shows the build number and channel of the device's Chrome OS operating system Maps to the Platform version field in the Google Admin console Example: 13505.73.0 (Official Build) stable-channel octopus
chromebook.provisioningStatus	string	Shows the status of the Chromebook in the Google Admin console Maps to the Status field in the Google Admin console Example: ACTIVE
chromebook.recentUsers	string	A comma separated list of users that have logged into the device, even if the users aren't configured with the Chromebook extension The most recent users are shown first Maps to the Recent users field in the Google Admin console Example: [email protected], [email protected]

Hardware - CPU

The following CPU fields are available:

CPU Available fields
Field	Data type	Description
hardware.cpus.logicalCores	number	The number of logical processors for the current instance of the processor Example: 2
hardware.cpus.make	string	The manufacturer for the current instance of the processor
hardware.cpus.name	string	The name of the CPU Example: Intel(R) Xeon(R) Platinum 8171M CPU @ 2.60GHz
hardware.cpus.physicalCores	number	The number of cores for the current instance of the processor Example: 2
hardware.cpus.processorSpeed	number	The current speed (in megahertz) of the processor Example: 2,095

Hardware - Custom Defined Fields

Custom Defined fields are data fields that you can use to store information about your organization or your devices.

For more information, see:

Prerequisites

Custom Defined Fields are populated for the device

Available fields

The following Custom Defined Field fields are available:

Custom Defined fields Available fields
Field	Data type	Description
customDefinedFields.alias	string	A comma separated list of the field names of the Custom Defined fields Example: Asset#, Department
customDefinedFields.name	string	A comma separated list of the names of the Custom Defined fields Example: Asset Number, Department
customDefinedFields.type	string	A comma separated list of the data types for the Custom Defined fields Example: Text, Dropdown
customDefinedFields.uid	string	A comma separated list of the unique identifiers assigned to the Custom Defined fields Example: IaLDZbcdQyqoPs5N1EFGH, IaLDZbcdQyqoPs5N1ABCD
customDefinedFields.value	string	A comma separated list of the values for the Custom Defined fields Example: AS2021-0001, Accounting

Hardware - Device Freeze

You can freeze devices by showing a full screen message that restricts users from using the device. The device remains frozen until you submit a Remove Freeze request in the Secure Endpoint Console, or the device's unfreeze code is entered on the frozen device.

For more information, see:

Prerequisites

The device has an outstanding Freeze request or the device is frozen

Available fields

The following Freeze fields are available:

Device Freeze Available fields
Field	Data type	Description
deviceFeeze.actionStatus	string	The Device Freeze conditions set for the device Can have multiple values is there are multiple Freeze requests on the device Example: FreezeConditionOfflineSet
deviceFreeze.status	string	The Device Freeze status of the device Example: Frozen

Hardware - Displays

The following Display fields are available:

Display Available fields
Field	Data type	Description
hardware.displays.make	string	A comma separated list of the displays' manufacturers Example: Intel, Apple
hardware.displays.name	string	A comma separated list of the displays' names Example: Intel Iris Graphics 6100, Color LDC
hardware.displays.numColors	number	A comma separated list of the number of colors the displays support in their current resolution Example: 4,294,967,296, 4,294,967,296
hardware.displays.plugnPlayDeviceId	string	A comma separated list of the Windows Plug and Play device identifiers Example: DISPLAY\CMN15C2\4&955A4AC&0&UID256
hardware.displays.refreshRate	number	A comma separated list of the frequency (in hertz) at which the video controllers refresh the image for the displays Example: 0, 60
hardware.displays.resolution	string	A comma separated list of the resolutions of the displays Example: 1600 X 900 X 60, 1600 X 900 X 60

Hardware - Full-Disk Encryption Status

Full-Disk Encryption Status policies control the collection of information about the full-disk encryption (FDE) products installed on your Windows and Mac devices. These policies also collect the encryption status of each device's system drive.

Prerequisites

The Full-Disk Encryption Status policy is activated in at least one policy group

Available fields

The following Full-Disk Encryption Status fields are available:

Full-Disk Encryption Status available fields
Field	Data type	Description
encryption.algorithm	string	The detected algorithm used by the full-disk encryption software, if available Most products use an Advanced Encryption Standard (AES) algorithm. Example: XTS-AES
encryption.allDrivesEncrypted	string	A detailed encryption status of the device's drives Possible value: No Drives Encrypted All Drives Encrypted with No Locked Drives All Drives Encrypted with Locked Drives Some Drives Encrypted Unknown
encryption.app.categories	string	A comma separated list of the detected full-disk encryption application's categories Example: Security, Encryption
encryption.app.major	number	The major version of the detected full-disk encryption application Example: 10
encryption.app.minor	number	The minor version of the detected full-disk encryption application Example: 0
encryption.app.name	string	The name of the detected full-disk encryption application Example: BitLocker Drive Encryption Driver
encryption.app.version	string	The version of the detected full-disk encryption application Example: 10.0.19041.1 (WinBuild.160101.0800)
encryption.description	string	The text string provided by the encryption vendor that provides more information about the encryption status of the device's system drive Example: Protection On - Used Space Only Encrypted
encryption.hwEncryptionEnabled	boolean	Indicates whether the encryption product is hardware- or software-based true: an Opal compliant self encrypting drive (SED) is detected on the device false: the encryption product is software-based
encryption.isEnabled	boolean	Indicates whether the Full Disk Encryption Status policy is enabled on the device true: the Full Disk Encryption Status policy is enabled false: the Full Disk Encryption Status policy is disabled
encryption.keySize	string	The number of bits in a key used by the detected algorithm For products that use an AES algorithm, the key size is typically 128 or 256 bits. Example: 256
encryption.lastUpdatedUtc	date	The date and time when a change in the device's encryption information was last detected Each device's Secure Endpoint Agent performs an hourly FDE scan. If a change is detected, the new information is uploaded on the device's next agent connection, which is typically within the next 15 minutes if the device is online. Example: Sep 7, 2021 @ 15:08:02.754
encryption.status	string	The summarized encryption status of the device Possible values are: ENCR: a full-disk encryption product is installed on the device and the device's system drive is encrypted INST: a full-disk encryption product is installed on the device but the device's system drive is not encrypted, or Microsoft BitLocker is suspended UNKN: a full-disk encryption product is not detected on the device

Hardware - Geolocation

Geolocation Tracking policies control the collection of geolocation information from your devices.

Prerequisites:

The Geolocation Tracking policy is activated on the device

Available fields

The following Geolocation fields are available:

Geolocation Available fields
Field	Data type	Description
geoEnabled	boolean	Indicates whether the Geolocation Tracking policy is enabled true: the Geolocation Tracking policy is enabled false: the Geolocation Tracking policy is disabled
geoip.accuracy	number	The estimated accuracy (in meters) of the technology used to locate the device Example: 23,182
geoip.appVersion	string	The version number of the GEO component デバイスの地理的な位置を検出する Secure Endpoint Agent の軽量ソフトウェアコンポーネントです。GEO コンポーネントは、ジオロケーション追跡ポリシーによって制御されます。 of the Secure Endpoint Agent installed on the device Example: 1.0.0.2612
geoip.cityName	string	The city where the device is located Example: Vancouver
geoip.countryISOCode	string	The ISO code for the country where the device is located Example: CAN
geoip.countryName	string	The name of the country where the device is location Example: Canada
geoip.lastUpdatedUtc	date	The date and time when the device's geolocation information was last updated Example: Sep 8, 2021 @ 09:41:30.429
geoip.locatingTechnology	string	The technology used to get the location Possible values: GPS_TYPE IP_RESOLUTION OS_LOCATION_API_TYPE WIFI_TYPE
geoip.location	geo point field	The estimated latitude and longitude (in degrees) where the device is located Example: { "coordinates": [ -123.14094449999997, 49.257493 ], "type": "Point" }
geoip.stateName	string	The name of the state or province where the device is located Example: British Columbia

Hardware - Hard disks

The following hard disk information is available:

Hard disk Available fields
Field	Data type	Description
localDrives.hardDisks.description	string	The description of the disk drive Example: Disk drive
localDrives.hardDisks.make	string	The name of the manufacturer of the disk drive Example: (Standard disk drives)
localDrives.hardDisks.mediaType	string	The type of media used or accessed by this device Example: Fixed hard disk media
localDrives.hardDisks.name	string	The name of the disk drive Example: \\.\PHYSICALDRIVE0
localDrives.hardDisks.numberOfPartitions	number	The number of partitions on the physical disk drive that are recognized by the operating system Example: 2
localDrives.hardDisks.sizeBytes	number	The size (in bytes) of the physical disk drive Example: 256,052,966,400
localDrives.hardDisks.status	string	The current status of the physical disk drive Example: OK

Hardware - Memories

The following memory fields are available:

Memory Available fields
Field	Data type	Description
hardware.memories.id	string	A comma separated list of the unique identifiers of the physical memory devices Example: Physical Memory 0, Physical Memory 1
hardware.memories.make	string	A comma separated list of the names of the manufacturers of the physical memory devices Example: SK Hynix, SK Hynix
hardware.memories.sizeBytes	number	A comma separated list of the total capacity (in bytes) of the physical memory devices Example: 8,589,934,592, 8,589,934,592
hardware.memories.speed	number	A comma separated list of the speed (in megahertz) of the physical memory devices Example: 2,133, 2,133

Hardware - Network adapters

The following network adapter fields are available:

Network adapter Available fields
Field	Data type	Description
network.adapters.dhcpServer	string	The dynamic host configuration protocol (DHCP) Example: 172.20.8.11
network.adapters.ipv4Address	string	A comma separated list of the network adapters' associated IPv4 addresses Example: 192.168.1.2, 172.20.12.78
network.adapters.ipv6Address	string	A comma separated list of the network adapters' associated IPv6 addresses Example: fe80::3d47:4393:b4f0:9bf5, fe80::d0d2:9f52:ff82:1234
network.adapters.macAddress	string	A comma separated list of the network adapters' media access control (MAC) addresses Example: A0:1D:48:15:23:46, 00:12:3D:45:21:4F
network.adapaters.manufacturer	string	A comma separated list of the network adapters' manufacturers Example: Intel, Cisco Systems
network.adapters.name	string	A comma separated list of the network adapters' names Example: Intel(R) Dual Band Wireless-AC 8265, Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows x64
network.adapters.networkSSID	string	The service set identifier (SSID), usually refers to the Wi-Fi network name Example: ABCCompanyGuest
network.adapters.productType	string	A comma separated list of the network adapters' product type according to the manufacturer Example: Intel(R) Dual Band Wireless-AC 8265, Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows x64
network.adapters.serviceName	string	A comma separated list of the network adapters' service names Example: e1i65x64, VMnetAdapter
network.adapters.speed	number	A comma separated list of the network adapters' estimated current bandwidth (in bits per second) Example: 433,300,000, 1,000,000,000

Hardware - Operating system

The following operating system (OS) fields are available:

OS Available fields
Field	Data type	Description
os.architecture	string	The architecture of the OS Example: 64-bit
os.buildnUbr	string	The build and the Update Build Revision (UBR) of the OS Example: 19043.1202
os.csdVersion	string	The latest service pack installed on the device Example: Service Pack 1
os.editionId	string	The edition of the OS Example: Professional
os.editionOrBuild	string	The build number of the OS Example: 10943
os.installedDateUtc	date	The date and time when the OS was installed Example: Feb 1, 2021 @ 13:41:07.000
os.isEndOfService	boolean	Indicates whether the OS has reached the end of life for support from the manufacturer true: the OS has reached end of life support from the manufacturer false: the OS hasn't reached end of life support from the manufacturer
os.major	number	The major version number of the OS Example: 10
os.manufactuer	string	The name of the manufacturer of the OS Example: Microsoft Corporation
os.minor	number	The minor version number of the OS Example: 0
os.name	string	The name of the OS Example: Microsoft Windows 10 Pro
os.patchAvailabilityDateUtc	date	The date that the OS patch identified in os.buildnUbr became available Example: Jun 7, 2021 @ 17:00:00.000
os.productKey	string	The product key of the OS Example: TY4CG-JDJH7-XX0XX-DY4X9-ABCD1
os.releaseId	string	The release number of the OS on a Windows device Example: 2009
os.updateBuildRevision	string	The Update Build Revision (UBR) of the OS Example: 1202
os.version	string	The version of the OS Example: 10.0.19043
os.windowsDirectory	string	The directory of the OS on a Windows device Example: C:\windows
os.windowServicePack	string	The latest service pack installed on a Windows device Example: Service Pack 1

Hardware - Policy

The following policy fields are available:

Policy Available fields
Field	Data type	Description
policy.policyGroupMovedUtc	date	The date and time the device was moved into the policy group Example: Aug 12, 2021 @ 12:17:54.157
policy.policyName	string	The name of the policy group the device belongs to Example: Global Policy Group

Hardware - Printers

The following printer fields are available:

Printer Available fields
Field	Data type	Description
hardware.printers.driverName	string	A comma separated list of the names of the printer drivers Example: Microsoft XPS Document Writer, EPSON EP-805A Series
hardware.printers.name	string	A comma separated list of the name of the printers Example: Microsoft XPS Document Writer, EPSON EP-805A Series
hardware.printers.port	string	A comma separated list of the ports used to transmit data to the printer Example: XPSPort:, PORTPROMPT:
hardware.printers.serverName	string	A comma separated list of the names of the servers that control the printers Example: PRINTSERVER1
hardware.printers.shareName	string	A comma separated list of the share names of the printers Example: EPSON EP-805A Series

Hardware - Manage Supervisor Password

You can remotely create, change or removed the supervisor password of the firmware of select Windows devices.

For more information, see:

Prerequisites

The device has an active Secure Endpoint Agent that is regularly connecting to the Absolute Monitoring Center
The device has no other pending Absolute requests
The device has not been reported stolen
If automatic agent updates are disabled, the agent version is 7.8.0.1 or higher

Available fields

The following supervisor password fields are available:

Manage Supervisor Password Available fields
Field	Data type	Description
rsvpStatus.isStrongPasswordRequired	boolean	Indicates whether a strong supervisor password is required true: a strong supervisor password is required false: a strong supervisor password isn't required
rsvpStatus.isSupported	boolean	Indicates whether Remote Supervisor Password (RSVP) is supported on the device true: the device supports RSVP false: the device doesn't support RSVP
rsvpStatus.status	string	The status of the Manage Supervisor Password request
rsvpStatus.version	string	The version of RSVP on the device

Hardware - System info

The following system info fields are available:

System info Available fields
Field	Data type	Description
hardware.systemInfo.availablePhysicalRAMBytes	number	The amount (in bytes) of physical memory currently unused and available Example: 4,793,049,088
hardware.systemInfo.availableVirtualRAMBytes	number	The amount (in bytes) of unused virtual memory Example: 981,204,992
hardware.systemInfo.chassisType	number	The chassis type from the System Enclose or Chassis structure in the SMBIOS information Values correspond to ChassisTypes in theWin32_SystemEnclosure WMI class Example: 1
hardware.systemInfo.domain	string	The name of the Windows domain to which this device belongs Example: WORKGROUP
hardware.systemInfo.locale	string	The language identifier used by the operating system Example: English (United States)
hardware.systemInfo.make	string	The manufacturer of the device Example: Dell
hardware.systemInfo.model	string	The product name from the manufacturer Example: OPTIPLEX 9020
hardware.systemInfo.name	string	The name assigned to the device Example: LPTP_TJordan
hardware.systemInfo.systemDirectory	string	The directory of the operating system Example: C:\WINDOWS\system32
hardware.systemInfo.systemIntegrityProtectionStatus	string	The status of the System Integrity Protection on the Mac device Example: enabled
hardware.systemInfo.timeZone	string	The time zone represented when daylight savings time is in effect Example: Pacific Daylight Time
hardware.systemInfo.totalPhysicalRAMBytes	number	The total amount (in bytes) of physical memory Example: 16,776,679,424
hardware.systemInfo.totalVirtualRAMBytes	number	The total amount (in bytes) of virtual memory Example: 14,624,084
hardware.systemInfo.type	string	The operating system of the device Example: Windows

Hardware - USB

The following USB fields are available:

USB Available fields
Field	Data type	Description
hardware.usb.make	string	A comma separated list of the names of the manufacturers of the USB devices Example: Generic USB xHCI Host Controller, Generic USB xHCI Host Controller
hardware.usb.name	string	A comma separated list of the names of the USB controllers Example: Intel(R) USB 3.0 eXtensible Host Controller - 1.0 (Microsoft), Intel(R) USB 3.0 eXtensible Host Controller - 1.0 (Microsoft)
hardware.usb.plugnPlayDeviceId	string	A comma separated list of the Windows Plug and Play device identifiers of the USB devices Example: PCI\VEN_8086&DEV_9C31&SUBSYS_22DA103C&REV_04\3&B1BFB68&0&A0, PCI\VEN_8086&DEV_9C26&SUBSYS_22DA103C&REV_04\3&B1BFB68&0&E8

Hardware - User information

The following user information fields are available:

User information Available fields
Field	Data type	Description
hardware.deviceUsers	string	The unique username of the user that was logged in to the device at the time of the most recent Secure Endpoint Agent call If there was no user logged in during the last agent call, the last detected username is used May also include the device name Example: LPTP_TJordan\tjordan
hardware.systemInfo.cuser	string	The unique username of the user that was logged in to the device at the time of the most recent Secure Endpoint Agent call If no user was logged in during the most recent agent call, no data shows May also include the device name Example: tjordan
userName	string	The name of the end user assigned to the device Typically, the authorized owner of the device May also include the device name Example: LPTP_TJordan\tjordan

Hardware - Volumes

The following volume fields are available:

Volume Available fields
Field	Data type	Description
localDrives.volumes.boot	boolean	A comma separated list of Boolean values that indicate whether the volumes contain the currently running OS files true: the volume contains the currently running OS files false: the volume doesn't contain the currently running OS files Example: false, true
localDrives.volumes.compressed	boolean	A comma separated list of Boolean values that indicate whether the volumes are compressed true: the volume exists as one compressed entity, such as a Double Space volume false: file-based compression is supported, such as the NTFS file system Example: false, false
localDrives.volumes.driveLetter	string	A comma separated list of the letters assigned to the volumes Example: C:, D:
localDrives.volumes.fileSystem	string	A comma separated list of the file systems for the volumes Example: NTFS, NTFS
localDrives.volumes.freeSpaceBytes	string	A comma separated list of the space available (in bytes) on the volume Example: 141,651,968, 41,611,640,832
localDrives.volumes.isPhysicalDisk	boolean	Indicates whether the volume is a physical disk true: the volume is a physical disk false: the volume isn't a physical disk
localDrives.volumes.mountPoint	string	The location where the files system is mounted on Mac devices Example: /Volumes/1013
localDrives.volumes.name	string	A comma separated list of the names of the volumes Example: \\?\Volume{5e80324b-0000-0000-0000-100000000000}\, C:\, D:\
localDrives.volumes.serial	string	A comma separated list of the serial numbers of the volumes Example: 48262900, 3001077377
localDrives.volumes.sizeBytes	number	A comma separated list of the size (in bytes) of the volumes Example: 607,121,408, 68,110,249,984

Anti-Malware

For more information, see:

Prerequisites

The device is protected with a detected anti-malware product

Document type

Documents containing Anti-Malware fields have the following document types:

docType: avp
docSubType: -

Available fields

The following Anti-Malware fields are available:

Anti-Malware Available fields
Field	Data type	Description
antiVirusProtect.app.categories app.categories	string	A comma separated list of the detected anti-malware application's categories Example: Security, Endpoint Protection
antiVirusProtect.app.major app.major	number	The major version of the detected anti-malware application Example: 4
antiVirusProtect.app.minor app.minor	number	The minor version of the detected anti-malware application Example: 18
antiVirusProtect.app.name app.name	string	The name of the detected anti-malware application Example: Windows Defender
antiVirusProtect.app.version app.version	string	The version of the detected anti-malware application Example: 4.18.2104.10 WinBuild.160101.0800
antiVirusProtect.definition	string	The version of the detected anti-malware definition Example: 1.343.1266.0
antiVirusProtect.definitionDateUtc	date	The date and time when the detected anti-malware definition was last updated on the device Example: Jul 16, 2021 @ 07:22:39.000
antiVirusProtect.lastUpdatedUtc	date	The date and time when the anti-malware information was detected on the device Example: Jul 19, 2021 @ 06:33:01.897

Application Resilience

Application Resilience policies help validate and maintain the resiliency of critical third party applications. Application Resilience policies apply to devices running a supported version of Windows. Each document contains information about a single supported application. There may be multiple Application Resilience documents with the same date and time for a single device.

Prerequisites

The Application Resilience policy is activated in one or more policy groups
The Report and repair or the Report, repair, and reinstall option is enabled in the Application Resilience policy

Document type

Documents containing Application Resilience fields have the following document types:

docType: rar
docSubType: -

Available fields

Application Resilience documents may contain any of the Hardware available fields, as well as the following Application Resilience fields:

Application Resilience Available fields
Field	Data type	Description
reportnRepair.app.categories app.categories	string	A comma separated list of the application's categories Example: Security, Encryption
reportnRepair.app.major app.major	number	The application's major version Example: 1
reportnRepair.app.minor app.minor	number	The application's minor version Example: 63
reportnRepair.app.name app.name	string	The application's name Example: dellDG
reportnRepair.app.version app.version	string	The application's version Example: 1.63.3
reportnRepair.failedCount	number	The total number of repairs or reinstallations that failed on the device for the application, over the last 30 days Example: 2
reportnRepair.lastKnownCorruptDate	date	The last date and time when the application was detected to be not functioning correctly Example: Jul 27, 2021 @ 04:08:42.000
reportnRepair.lastKnownHealthyDate	date	The last date and time when the application was detected to be functioning correctly Example: May 19, 2021 @ 05:49:06.000
reportnRepair.lastUpdatedUtc	date	The date and time when the Application Resilience policy was last activated or updated on the device Example: Jul 27, 2021 @ 04:15:07.877
reportnRepair.persistenceEventCount	number	The total number of repairs and reinstallations attempted on the device for the application, over the last 30 days Example: 2
reportnRepair.reinstallCount	number	The total number of reinstallations that succeeded on the device for the application, over the last 30 days Example: 0
reportnRepair.repairCount	number	The total number of repairs that succeeded on the device for the application, over the last 30 days Example: 1
reportnRepair.repairStatus	string	The status of any attempted repairs Possible value: Failure None RepairDisabled Success
reportnRepair.status	string	The status of the Application Resilience Policy for the application Possible value: Compliant Disabled NoCurrentData NotCompliant
reportnRepair.statusDescription	string	If the application is non-compliant, shows the application components that were checked during the status check Example: [BitLocker:Drive][volume: C], status: Non-compliant, reason: encryptionMethod(expected/actual):ANY/NONE, protectionStatus(expected/actual):protectionOn/protectionOff, conversionStatus(expected/actual):fullyEncrypted/fullyDecrypted
reportnRepair.trigger	string	The reason the Application Resilience policy ran Example: Scheduled

Application Usage

Application Usage policies allows you to identify how often applications are being used on your Windows and Mac devices.

Each document includes usage data for a single application during each 24-hour interval. Currently, the interval starts at 7:00 PM in the local time of the device. If an application wasn't used during the interval, there is no document for that application for the 24-hour interval.

A single Application Usage document contains either the Application Instance fields (app-instance), or Executable Instance fields (exe-instance).

Each Application Usage - Application Instance document contains information about a single application detected on the device. There may be more than one document with the same time and date stamp for a single device.

If the application in the Application Usage - Application Instance document appears in the list of applications with executables of interest, there is also an associated Application Usage - Executable Instance document. If the application has more than one associated executable, there is an Application Usage - Executable Instance document for each executable.

Prerequisites

The Application Usage dashboard contains data when the following prerequisites are met:

Devices are actively calling in to the Absolute Monitoring Center
The Installed Applications policy is activated in at least one policy group
The Include Application Usage data option is activated in the Installed Applications policy

Document type

Application Usage documents containing Application Instance fields have the following document types:

docType: aur
docSubType: app-instance

Application Usage documents containing Executable Instance fields have the following document types:

docType: aur
docSubType: exe-instance

Available fields

Note that the following terms are used to describe the Application Usage Available fields:

Application executable of interest: an executable that is included in either Microsoft (Office) 365 ( e.g. outlook.exe, excel.exe) or Adobe Creative Cloud 2015 (e.g. photoshop.exe, AcroRd32.exe)
In use: the application is running on the device. The user may or may not be interacting with the application.
In focus: the application is running on the device and it has user focus (can accept user input). Note that the user may or may not be actively interacting with an application when it is in focus.
Office hours: usage that occurs between 8 a.m. and 5 p.m., Monday to Friday
After office hours: usage that occurs between 5 p.m. and 8 a.m., Monday to Friday, or on a weekend

Application Usage - Application Instance

The following Application Usage - Application Instance fields are available:

Applications Usage - Application Instance Available fields
Field	Data type	Description
applicationInstanceUsage.app.averageMemoryBytesInUse	number	The average amount of memory (in bytes) dedicated to the application during the 24-hour interval Example: 1,108,314,794
applicationInstanceUsage.app.categories	number	A comma separated list of the application's categories Not all applications have data in this field Example: Productivity
applicationInstanceUsage.app.cpuSecondsInUse	number	The number of seconds that the CPU dedicated to the application in the 24-hour interval Example: 180
applicationInstanceUsage.app.executablesInApplication	string	A comma separated list of the executables in the application Example: outlook.exe, onenotem.exe, excel.exe, winword.exe
applicationInstanceUsage.app.hash	string	The hash of the application Example: BED49E6E49BF27D0F70E706A31309319
applicationInstanceUsage.app.inFocusMinutesInUse	number	The number of minutes that the application was in focus in the 24-hour interval Example: 56
applicationInstanceUsage.app.lastInstalledDateUtc	date	The date and time the application was last installed Example: Apr 22, 2021 @ 08:22:49.727
applicationInstanceUsage.app.lastInstallLocation	string	The location the application was last installed in Example: C:\Program Files\Microsoft Office
applicationInstanceUsage.app.major app.major	number	The major version of the application Example: 16
applicationInstanceUsage.app.minor app.minor	number	The minor version of the application Example: 0
applicationInstanceUsage.app.minutesInUse	number	The number of minutes that the application was in use in the 24-hour interval Example: 60
applicationInstanceUsage.app.name app.name	string	The name of the application Example: Microsoft 365 Apps for enterprise
applicationInstanceUsage.app.osDefault app.osDefault	boolean	Indicates whether the application comes installed on the OS true: the application comes installed on the OS false: the application doesn't come installed on the OS
applicationInstanceUsage.app.publisher app.publisher	string	The publisher of the application Example: Microsoft
applicationInstanceUsage.app.version app.version	string	The application's version Example: 16.0.13901.20400
inWorkHours	number	A numeric flag to indicate whether the application was used inside of office hours 0: The application wasn't used inside of office hours 1: The application was used inside of office hours
minutesInUseInWorkHours	number	The number of minutes the device was used inside of office hours in the 24-hour interval Example: 96
minutesInUseOutWorkHours	number	The number of minutes the device was used after office hours in the 24-hour interval Example: 96
outWorkHours	number	A numeric flag to indicate whether application was used after office hours 0: the application wasn't used outside of office hours 1: the application was used outside of office hours

Application Usage- Executable Instance

The following Application Usage - Executable Instance fields are available:

Application Usage - Executable Instance Available fields
Field	Data type	Description
applicationExecutableInstanceUsage.app.categories app.categories	string	A comma separated list of the application's categories Not all applications have data in this field Example: Productivity
applicationExecutableInstanceUsage.app.hash	string	The hashed value of the application Example: BED49E6E49BF27D0F70E706A31309319
applicationExecutableInstanceUsage.app.lastInstalledDateUtc	Date	The date and time the application was last installed Example: Oct 3, 2019 @ 17:00:00.000
applicationExecutableInstanceUsage.app.lastInstallLocation	string	The location the application was last installed in Example: C:\Program Files\Microsoft Office
applicationExecutableInstanceUsage.app.major app.major	number	The major version of the application Example: 16
applicationExecutableInstanceUsage.app.minor app.minor	number	The minor version of the application Example: 0
applicationExecutableInstanceUsage.app.name app.name	string	The name of the application Example: Microsoft 365 Apps for enterprise
applicationExecutableInstanceUsage.app.osDefault app.osDefault	boolean	Indicates whether the application comes installed on the OS true: the application comes installed on the OS false: the application doesn't come installed on the OS
applicationExecutableInstanceUsage.app.publisher app.publisher	string	The publisher of the application Example: Microsoft
applicationExecutableInstanceUsage.app.version app.version	string	The application's version Example: 16.0.13901.20400
applicationExecutableInstanceUsage.executable.averageMemoryBytesInUse	number	The average amount of memory (in bytes) dedicated to the executable during the 24-hour interval Example: 308,771,566
applicationExecutableInstanceUsage.executable.cpuSecondsInUse	number	The number of seconds the executable was in use in the 24-hour interval Example: 16
applicationExecutableInstanceUsage.executable.inFocusMinutesInUse	number	The number of minutes that the executable was in focus in the 24-hour interval Example: 0
applicationExecutableInstanceUsage.executable.minutesInUse	number	The number of minutes the executable was in use in the 24-hour interval Example: 60
applicationExecutableInstanceUsage.executable.name	string	The name of the executable Example: excel.exe
applicationExecutableInstanceUsage.executable.osDefault	boolean	Indicates whether the executable comes installed on the OS true: the executable comes installed on the OS false: the executable doesn't come installed on the OS
inWorkHours	number	A numeric flag to indicate whether the application was used inside of office hours 0: the application wasn't used inside of office hours 1: the application was used inside of office hours
minutesInUseInWorkHours	number	The number of minutes the device was used inside of office hours in the 24-hour interval Example: 96
minutesInUseOutWorkHours	number	The number of minutes the device was used after office hours in the 24-hour interval Example: 96
outWorkHours	number	A numeric flag to indicate whether application was used after office hours 0: the application wasn't used outside of office hours 1: the application was used outside of office hours

Custom Data Collection

You can use Custom Data to collect data points that are configured specifically for your account. Custom Data applies to devices running a supported version of the Windows operating system. Each document contains information about a single data point. There may be multiple Custom Data documents with the same date and time for a single device.

Data points can have one of the following data types:

Boolean
date
double
long
string

String can either be simple or complex. For more information, see Strings.

Prerequisites

Custom Data collection is activated in at least one policy group

Document type

Documents containing Custom Data fields have the following document types:

docType: cdc
docSubType: -

Available fields

The following Custom Data fields are available:

Available Custom Data fields
Field	Data type	Description
boolCustomDataCollection.alias	string	The display name for custom data points that have a data type of Boolean
boolCustomDataCollection.name	string	The field name for custom data points that have a data type of Boolean
boolCustomDataCollection.uid	string	The unique identifier of the custom data point definition in the database Each custom data point can only have one uid Example: 058ab37c-5d38-4e45-af69-219edaaeb123
boolCustomDataCollection.value	date	The value assigned to custom data points that have a data type of Boolean Example: true
dateCustomDataCollection.alias	string	The display name for custom data points that have a data type of date
dateCustomDataCollection.name	string	The field name for custom data points that have a data type of date
dateCustomDataCollection.uid	string	The unique identifier of the custom data point definition in the database Each custom data point can only have one uid Example: 058ab37c-5d38-4e45-af69-219edaaeb123
dateCustomDataCollection.value	date	The value for custom data points that have a data type of date Example: Aug 26, 2021 @ 09:34:52.411
doubleCustomDataCollection.alias	string	The display name for custom data points that have a data type of double
doubleCustomDataCollection.name	string	The field name for custom data points that have a data type of double
doubleCustomDataCollection.uid	string	The unique identifier of the custom data point definition in the database Each custom data point can only have one uid Example: 058ab37c-5d38-4e45-af69-219edaaeb123
doubleCustomDataCollection.value	date	The value assigned to custom data points that have a data type of double
longCustomDataCollection.alias	string	The display name for custom data points that have a data type of long
longCustomDataCollection.name	string	The field name for custom data points that have a data type of long
longCustomDataCollection.uid	string	The unique identifier of the custom data point definition in the database Each custom data point can only have one uid Example: 058ab37c-5d38-4e45-af69-219edaaeb123
longCustomDataCollection.value	date	The value assigned to custom data points that have a data type of long
strCustomDataCollection.alias	string	The display name for custom data points that have a data type of string Simple example: LocalAdministrators
strCustomDataCollection.extraContent.value	string	For complex strings, the original output of the string for one top level section Example: User=localadmin; Enabled=True;
strCustomDataCollection.name	string	The field name for custom data points that have a data type of string Example: LocalAdministrators
strCustomDataCollection.name_`n` where `n` is a number between 00 and 09 such as str.CustomDataCollection.name_07	string	For complex strings, the key names for the key/value pairs A complex string can have up to 10 key/value pairs, each of the 10 keys are assigned a number between 00 and 09 The key includes the display name followed by the key Example field name: strCustomDataCollection.name_00 Example value: LocalAdministrators.User
strCustomDataCollection.uid	string	The unique identifier of the custom data point definition in the database for data points that have a data type of string Each custom data point can only have one uid Example: 058ab37c-5d38-4e45-af69-219edaaeb123
strCustomDataCollection.value	string	For simple strings, the value assigned to custom data points that have a data type of string Example: localadmin
strCustomDataCollection.value_`n` where n is a number between 00 and 09 such as str.CustomDataCollection.value_07	string	For complex strings, the value names for the key/value pairs A complex string can have up to 10 key/value pairs, each of the 10 values are assigned a number between 00 and 09 Example field name: strCustomDataCollection.value_00 Example value: localadmin

Strings

Custom Data can collect both simple and complex strings.

A simple string is a single key/value pair that uses a equals sign (=) to delimit the key and value.

A complex string contains multiple key/value pairs and uses delimiters. A complex string can use 3-level delimiting. For example, the following is a complex string using the three levels of delimiters:

コピーする

User=localadmin; Enabled=True; | User=localpoweradmin; Enabled=False;

The string uses the following delimiters:

The equals sign (=) breaks up the key/value pairs within the string. For User=localadmin, User is the key and localadmin is the value.
The semicolon (;) breaks apart the set of key value pairs. A complex string can have up to ten key/value pairs. For User=localadmin; Enabled=True, User=localadmin and Enabled=True are both key/value pairs.
The pipe delimiter (|) breaks the string in to top level sections. For User=localadmin; Enabled=True; PasswordRequired=True; | User=localpoweradmin; Enabled=False;, there are two top level sections. One includes the User=localadmin and Enabled=True key/value pairs, and the other includes the User=localpoweradmin and Enabled=False key/value pairs. Each top level section becomes a separate document.

The following table shows the field names and the values for the above complex string:

Complex string fields
Field	Value
Top level section 1 - Document 1
strCustomDataCollection.alias	LocalAdministrators
strCustomDataCollection.extraContent.value	User=localadmin; Enabled=True;
strCustomDataCollection.name	LocalAdministrators
strCustomDataCollection.name_00	LocalAdministrators.User
strCustomDataCollection.name_01	LocalAdministrators.Enabled
strCustomDataCollection.uid	058ab37c-5d38-4e45-af69-219edaaeb123
strCustomDataCollection.value_00	localadmin
strCustomDataCollection.value_01	True
Top level section 2 - Document 2
strCustomDataCollection.alias	LocalAdministrators
strCustomDataCollection.extraContent.value	User=localpoweradmin; Enabled=False;
strCustomDataCollection.name	LocalAdministrators
strCustomDataCollection.name_00	LocalAdministrators.User
strCustomDataCollection.name_01	LocalAdministrators.Enabled
strCustomDataCollection.uid	058ab37c-5d38-4e45-af69-219edaaeb123
strCustomDataCollection.value_00	localpoweradmin
strCustomDataCollection.value_01	False

Device Usage

Device Usage policies control the collection of device usage information from your Windows, Mac and Chromebook devices.

A single Device Usage document contains either Event fields or Device Usage fields.

Each Device Usage - Event document contains information about a single event.

Prerequisite

The Device Usage policy is activated in at least one policy group

Document type

Device Usage documents containing usage event fields have the following document type:

docType: dur
docSubType: event

Device Usage documents containing device usage fields have the following document type:

docType: dur
docSubType: usage

Available fields

Device Usage - Event

The following device usage event fields are available:

Device usage event Available fields
Field	Data type	Description
deviceUsage.eventType	string	The event associated with the device usage Possible values: Logon Unlock
deviceUsage.hour	number	The hour of the day during which the event occurred. Possible values are between 0 and 23.
eventTimeStampUtc	date	The date and time when the event occurred Example: Sep 8, 2021 @ 08:13:17.724
inWorkHours	number	A numeric flag to indicate whether the event occurred inside of office hours 0: the event occurred outside of work hours 1: the event occurred inside work hour
outWorkHours	number	A numeric flag to indicate whether the event occurred outside of office hours 0: the event occurred inside work hours 1: the event occurred outside work hours

Device Usage - Usage

The following device usage fields are available:

Device usage Available fields
Field	Data type	Description
deviceUsage.hour	number	The hour of the day during which the usage occurred. Possible values are between 0 and 23.
deviceUsage.lastUpdatedUtc	date	The date and time when a device's Secure Endpoint Agent last checked in successfully to the Absolute Monitoring Center. Example: Jul 19, 2021 @ 04:22:06.275
deviceUsage.minutesInUse	number	The daily usage of a device, averaged over the 30 days prior to the most recent agent check-in and expressed in minutes Example: 96
inWorkHours	number	A numeric flag to indicate whether the event occurred inside of office hours 0: the event occurred outside of work hours 1: the event occurred inside work hour
minutesInUseInWorkHours	number	The number of minutes the device was used inside of work hours Example: 96
minutesInUseOutWorkHours	number	The number of minutes the device was used outside of work hours Example: 96
outWorkHours	number	A numeric flag to indicate whether the event occurred outside of office hours 0: the event occurred inside work hours 1: the event occurred outside work hours

Endpoint Data Discovery

Endpoint Data Discovery policies control the collection of information about the file content stored on your Windows and Mac devices. You can set an EDD policy to scan the files on a device's hard drive for confidential or at-risk content.

A single EDD document contains either the Match Score fields (edd-match-summary), or File scan fields (edd-file-scan).

A Match Score is a computed value indicating the number of content matches detected on a device during and EDD scan.

Each file scan document contains information about a single file. There may be more than one document with the same time and date stamp for a single device.

For more information see:

Prerequisites

The Endpoint Data Discovery policy is activated in at least one policy group

Document type

EDD documents containing Match Score fields have the following document types:

docType: edd
docSubType: edd-match-summary

EDD documents containing File scan fields have the following document types:

docType: edd
docSubType: edd-file-scan

Available fields

Endpoint Data Discovery - Match Scores

The following EDD - Match Score fields are available:

EDD - Match Score Available fields
Field	Data type	Description
endpointDataDiscovery.creditCardMatchScore	number	The Credit Card Numbers Match Score calculated for the device Example: 3
endpointDataDiscovery.customLex.matchScore	number	The Match Score for custom EDD rules Example: 5
endpointDataDiscovery.customLex.name	string	The names of the custom EDD rules
endpointDataDiscovery.encryptedMatchScore	number	The Encrypted or Password Protected Match Score calculated for the device Example: 0
endpointDataDiscovery.gdprMatchScore	number	The GDPR Personal Data Match Score calculated for the device Example: 0
endpointDataDiscovery.lastScanDataUtc	date	The date and time when the device was scanned using the scan configurations set in the Endpoint Data Discovery policy Example: Jul 19, 2021 @ 09:31:04.000
endpointDataDiscovery.personalFinancialInformationMatchScore	number	The Personal Financial Information Match Score calculated for the device Example: 21
endpointDataDiscovery.personalHealthInformationMatchScore	number	The Personal Health Information Match Score calculation for the device Example: 46
endpointDataDiscovery.policyGroupName	string	The policy group name for the EDD policy Example: Global Policy Group
endpointDataDiscovery.riskCost	number	The potential estimated cost to your organization, in US dollars, of a data breach of the at-risk files detected on the device Estimated Cost Exposure (USD) is based on a methodology presented in the Verizon 2015 Data Breach Investigations Report and is intended to serve as a guideline only. The actual cost of a data breach within your organization will vary. For more information about the methodology, go to the Verizon website and see the section, "Impact: 'In the Beginning, There Was Record Count'” (pages 27 to 30) of the 2015 Data Breach Investigations Report. Example: 24,103.5
endpointDataDiscovery.riskScore	number	The total of all individual EDD rule Risk Score 機密ファイルまたはリスクファイルのコンテンツがデバイス上に存在する場所に応じて、マッチスコアに重み付けが加えられる可能性のある計算された値です。ファイルがクラウドソフトウェアストレージフォルダーに存在し、そのためにクラウドで共有されるリスクがある場合、そのマッチスコアに 2 を乗算することでリスクスコアが導き出されます。ファイルがその他の場所にある場合、そのファイルのリスクスコアはマッチスコアと同じです。s for the device. Example: 88
endpointDataDiscovery.scanGuid	string	Example: 00f4635a-7b99-4361-8c8d-ea7a840e3a73
endpointDataDiscovery.socialSecurityNumberMatchScore	number	The US Social Security Numbers Match Score calculated for the device Example: 18
endpointDataDiscovery.totalMatchScore	number	The total number of content matches detected on a device for all applicable EDD rules Example: 88

Endpoint Data Discovery - File scan

The following EDD - file scan fields are available:

EDD - file scan Available fields
Field	Data type	Description
scanInfo.contentType	string	The type of content Example: application/msword
scanInfo.fileExt	string	The file's file extension See File types scanned by the DAR component for specific file types the component can detect and analyze Example: doc
scanInfo.fileHash	string	The hash of the file Example: 92996251CB2CEAFE2ABD9805663EFF3B
scanInfo.fileMatchStatus	string	The status of the file's EDD scan results Possible values: Historical Matched Incoming Deleted
scanInfo.fileName	string	The scanned file's name Example: Credit Score Report.doc
scanInfo.fileOwner	string	The scanned file's owner Example: TJordan
scanInfo.filePath	string	The scanned file's path Example: C:\Users\bsmith\Documents\Local\Credit Score Report.doc
scanInfo.lastScanDateUtc	date	The date and time the file was scanned Example: Jul 26, 2021 @ 17:00:00.000
scanInfo.matchAlgorithm	string	The EDD rule for which a match was detected Example: lexicon_Finance
scanInfo.matchScore	number	The resulting match score for the file Example: 1
scanInfo.policyGroupName	string	The policy group name for the EDD policy Example: Global Policy Group
scanInfo.scanGuid	string	The identifier of a batch of scanned files Example: 6d23fba3-41e4-46ce-8a18-ce78f3876033

Events Changes

Events Changes shows a document for each event triggered by a user, a device, or a system. The event document includes information about the event, the actors, and the old and new values.

For more information, see:

Document type

Event change documents containing event change fields have the following document types:

docType: evtd
docSubType: -

Available fields

The following event data fields are available:

Event data available fields
Field	Data type	Description
eventChanges.eventType	string	The type of event that occurred on the device Example: APActivated
eventChanges.initiator.id	string	The unique identifier of the entity that initiated the event Example: 6ff14dc8-d79e-42ae-abfc-35de989683ff
eventChanges.initiator.name	string	The name of the entity that initiated the event Example: [email protected]
eventChanges.initiator.type	string	The type of entity that initiated the event Example: User
eventChanges.primaryActedUpon.id	string	The unique identifier of the effected device or object Example: 1234a1bc-7654-4734-de7f-d11ce59095b1
eventChanges.primaryActedUpon.name	string	The name or identifier of the effected device or object Example: Dell Data Guardian
eventChanges.primaryActedUpon.type	string	The type of entity of the effected device or object Example: PersistentApplication
eventChanges.secondaryActedUpon.id	string	The unique identifier of the object that was also affected by the event, such as the request ID of a Freeze request Example: 2cc943d9-f412-4b72-b60b-c00411e41e
eventChanges.secondaryActedUpon.name	string	The name or identifier of the object that was also affected by the event, such as the request ID of a Freeze request Example: Global Policy Group
eventChanges.secondaryActedUpon.type	string	The type of object that was also affected by the event Example: PolicyGroup
eventChanges.snapshots.newValue	string	The new value associated with the property Example: Canceled
eventChanges.snapshots.oldValue	string	The previous value associated with the property Example: Pending
eventChanges.snapshots.propName	string	For "updated" events, the field or property that was updated For some other events, this column contains additional information that is not shown on the Events page. For example, IP address and Browser agent show in this column for User login events. Example: ScriptName, DeviceStatus
eventChanges.verb	string	The type of action that occurred Example: Activated

Full-Disk Encryption Status

Prerequisites

Devices are actively calling in to the Absolute Monitoring Center
The Full-Disk Encryption Status policy is activated in at least one policy group

Document type

Full-Disk Encryption Status documents have the following document types:

docType: esp
docSubType: -

Available fields

The following Full-Disk Encryption Status fields are available:

Full-Disk Encryption Status available fields
Field	Data type	Description
encryption.algorithm	string	The detected algorithm used by the full-disk encryption software, if available Most products use an Advanced Encryption Standard (AES) algorithm. Example: XTS-AES
encryption.allDrivesEncrypted	string	A detailed encryption status of the device's drives Possible value: No Drives Encrypted All Drives Encrypted with No Locked Drives All Drives Encrypted with Locked Drives Some Drives Encrypted Unknown
encryption.app.categories app.categories	string	A comma separated list of the full-disk encryption application's categories Example: Security, Encryption
encryption.app.major app.major	number	The major version of the full-disk encryption application Example: 10
encryption.app.minor app.minor	number	The minor version of the full-disk encryption application Example: 0
encryption.app.name app.name	string	The name of the full-disk encryption application Example: BitLocker Drive Encryption Driver
encryption.app.version app.version	string	The version of the full-disk encryption application Example: 10.0.19041.1 (WinBuild.160101.0800)
encryption.description	string	The text string provided by the encryption vendor that provides more information about the encryption status of the device's system drive Example: Protection On - Used Space Only Encrypted
encryption.hwEncryptionEnabled	boolean	Indicates whether the encryption product is hardware- or software-based true: an Opal compliant self encrypting drive (SED) is detected on the device false: the encryption product is software-based
encryption.isEnabled	boolean	Indicates whether the Full Disk Encryption Status policy is enabled on the device true: the Full Disk Encryption Status policy is enabled false: the Full Disk Encryption Status policy is disabled
encryption.keySize	string	The number of bits in a key used by the detected algorithm For products that use an AES algorithm, the key size is typically 128 or 256 bits. Example: 256
encryption.lastUpdatedUtc	date	The date and time when a change in the device's encryption information was last detected Each device's Secure Endpoint Agent performs an hourly FDE scan. If a change is detected, the new information is uploaded on the device's next agent connection, which is typically within the next 15 minutes if the device is online. Example: Jul 18, 2021 @ 17:51:23.198
encryption.status	string	The summarized encryption status of the device Possible values are: ENCR: a full-disk encryption product is installed on the device and the device's system drive is encrypted INST: a full-disk encryption product is installed on the device but the device's system drive is not encrypted UNKN: a full-disk encryption product is not detected on the device Windows specific statuses: SUSP: BitLocker Drive Encryption is suspended INPR: the system drive is in the process of being encrypted by BitLocker Drive Encryption DECRINPR: the system drive is in the process of being decrypted by BitLocker Drive Encryption

Installed Applications

Installed Applications policies control the collection of information about the software applications installed on your active Windows and Mac devices.

A single installed software document contains either the application list fields (app-list), or application information fields (app-info).

The application list documents contain an overview of the software installed on a device. Each field contains a comma separated list containing consolidated information about the software on the device.

The application info documents contain information about a single application. Documents with the same date and time for the same device occur because the information from a single scan is broken into documents for each application discovered on the device.

For more information see:

Prerequisites

The Installed Applications policy is activated in at least one policy group

Document type

Installed software documents containing application list fields have the following document types:

docType: sng
docSubType: app-list

Installed software documents containing application information fields have the following document types:

docType: sng
docSubType: app-info

Available fields

Installed software - Application list

The following installed software - application list fields are available:

Installed software - application list available fields
Field	Data type	Description
swAppList.categories	string	A comma separated list of the categories to which the applications belongs Example: Software Development, Development, Security
swAppList.major	number	A comma separated list of the major versions of the applications Example: 7, 1, 21
swAppList.minor	number	A comma separated list of the minor versions of the applications Example: 2,105, 0
swAppList.name	string	A comma separated list of the names of the applications Example: 3D Viewer, Adobe Acrobat Reader DC, Alarms & Clock
swAppList.version	string	A comma separated list of the version of the applications Example: 7.2105.4012.0, 1.0.4.73, 21.005.20058

Installed software - application information

The following installed software - application information fields are available:

Available fields
Field	Data type	Description
swApplication.app.categories	string	The category that an application belongs to Example: Productivity
swApplication.app.major	number	The major version of an application Example: 1
swApplication.app.minor	number	The minor version of an application Example: 0
swApplication.app.name	string	The name of an application Example: Word
swApplication.app.version	string	The version of an application Example: 1.0
swApplication.firstFoundDateUtc	date	The date and time when the indicated version of the application was first detected on the device Example: Mar 31, 2021 @ 06:52:28.735
swApplication.lastInstalledDateUtc	date	The date that the application was installed Example: Nov 11, 2020 @ 16:00:00.000
swApplication.lastInstallLocation	string	The location where the application is installed Example: C:\Users\bobsmith\AppData\Local\Microsoft\Edge\User Data\Default\Web Applications\_crx__hijklmnobiflkdfdgdajcfklmcibbopi
swApplication.lastScanDateUtc	date	The date and time of the most recent application scan Example: Jul 27, 2021 @ 10:53:53.391
swApplication.originalPublisher	string	The original name of the software publisher of the application Example: Word
swApplication.publisher	string	The name of the software publisher of the application Example: Word

Web Usage

Web Usage policies control the collection of web usage data from the Chrome browser on your Chromebook and Windows devices. There is a document for each website.

Document type

Documents containing application info fields have the following document types:

docType: wma
docSubType: -

Prerequisites

The Web Usage policy is activated in at least one policy group

Available fields

The following web usage fields are available:

Available Web Usage fields
Field	Data type	Description
webMonitoring.browserType	string	The web browser being monitored Example: Google Chrome
webMonitoring.categories	string	The web category that the website belongs to List of web categories Example: Corporate marketing
webMonitoring.dayLocal	string	The local date when the website was in focus Example: 2021-07-20
webMonitoring.dayOfWeekLocal	string	The local day of the week when the website was in focus Example: TUESDAY
webMonitoring.minutesInUse	number	The number of minutes the website was in focus Example: 24
webMonitoring.pageLoadUtc	date	The date and time when the website was loaded Example: Jul 20, 2021 @ 06:56:38.000
webMonitoring.pageLostFocusUtc	date	The date and time when the website lost focus Example: Jul 20, 2021 @ 11:56:37.000
webMonitoring.pageTitle	string	The title of the website Example: Resilient cybersecurity for your devices, data, and security controls. \| Absolute
webMonitoring.status	string	The status of the website Possible values: CONTINUED LOSTFOCUS URLCHANGED
webMonitoring.timeZoneOffset	number	The number of seconds added to or subtracted from Coordinated Universal Time (UTC) to calculate the local time Example: -28,800
webMonitoring.url	string	The URL for the website Example: https://www.absolute.com/
webMonitoring.urlHash	string	The hash of the URL of the website Example: ExbkJZnF9OvCGnsLe8MSJ8oKrDe4AlKtDTIrjUROxfc=
webMonitoring.website	string	The domain name of the website Example: absolute.com