AWS S3 Output File Format
Overview
This document describes the JSON data contained within the AWS S3 output files for the AWS S3 Inventory Sync Source.
Core Attributes
id
id- Type: String
- Description: Unique identifier for the device asset
- Example:
"00182068b08af7a464c31a4642084713"
asset_type
asset_type- Type: String
- Description: Type of asset (always "device" for device assets)
- Value:
"device"
org_id
org_id- Type: String (UUID)
- Description: Organization identifier that owns this device
- Example:
"22222222-2222-2222-2222-222222222222"
config_ids
config_ids- Type: Array of Strings (UUIDs)
- Description: List of configuration identifiers associated with this device
- Example:
["22222222-2222-2222-2222-222222222222", "22222222-2222-2222-2222-222222222223"]
source_ids
source_ids- Type: Array of Strings
- Description: List of data source identifiers that have reported this device
- Example:
["automox", "azure-ad", "crowdstrike", "illumio-core", "lansweeper", "malwarebytes-nebula", "microsoft-ad"]
first_observed_timestamp
first_observed_timestamp- Type: String (ISO 8601 timestamp)
- Description: Timestamp when the device was first observed in the system
- Example:
"2022-08-19T21:25:34.183832208Z"
last_observed_timestamp
last_observed_timestamp- Type: String (ISO 8601 timestamp)
- Description: Timestamp when the device was last observed
- Example:
"2025-05-13T13:50:26.815242232Z"
last_activity_timestamp
last_activity_timestamp- Type: String (ISO 8601 timestamp) or null
- Description: Timestamp of the last activity recorded for this device
- Example:
"2025-05-13T13:46:29.639623654Z"
version
version- Type: String (ISO 8601 timestamp)
- Description: Version timestamp of the asset record
- Example:
"2025-05-13T13:51:27.865431317Z"
Device Attributes
All device-specific attributes are contained within the attributes object.
Network Attributes
hostname
hostname- Type: String
- Description: Primary hostname of the device
- Example:
"atdixfsuabn"
hostnames
hostnames- Type: Array of Strings
- Description: All known hostnames for the device
- Example:
["atdixfsuabn"]
fqdn
fqdn- Type: String
- Description: Fully Qualified Domain Name
- Example:
"atdixfsuabn.bluth.co"
internal_ips
internal_ips- Type: Array of Strings
- Description: Internal/private IP addresses (supports both IPv4 and IPv6)
- Example:
["10.10.23.65", "10.42.21.105", "192.168.16.54"]
external_ips
external_ips- Type: Array of Strings
- Description: External/public IP addresses (supports both IPv4 and IPv6)
- Example:
["1.1.1.1", "2601:246:cc02:6672:202:202:202:c58"]
ips
ips- Type: Array of Strings
- Description: All IP addresses (both internal and external, IPv4 and IPv6)
- Example:
["10.10.23.65", "1.1.1.1", "2601:246:cc02:6672:202:202:202:c58"]
mac_addresses
mac_addresses- Type: Array of Strings
- Description: MAC addresses of network interfaces
- Example:
["01:FF:00:FE:32:00", "70:6D:97:27:EB:00", "E4:26:79:B7:D1:00"]
mac_manufacturers
mac_manufacturers- Type: Array of Strings
- Description: Manufacturers of network interface cards based on MAC addresses
- Example:
["Intel Corporate", "Dell Inc.", "VMware, Inc.", "LCFC(Hefei) Electronics Technology co., ltd"]
network_location
network_location- Type: String
- Description: Network location of the device
- Values:
"OnPrem", others may exist - Example:
"OnPrem"
Operating System Attributes
os
os- Type: String
- Description: Operating system name and version
- Example:
"Windows 10 Enterprise 10.0.19042","Printer","unknown"
os_platform
os_platform- Type: String
- Description: Operating system platform
- Example:
"Windows","Windows Server"
os_release
os_release- Type: String
- Description: Operating system release name
- Example:
"Windows 10 Enterprise"
os_version
os_version- Type: String
- Description: Operating system version number
- Example:
"10.0.19042"
os_end_of_life_timestamp
os_end_of_life_timestamp- Type: String (ISO 8601 timestamp)
- Description: End of life date for the operating system
- Example:
"2022-05-10T00:00:00Z"
Hardware Attributes
serial_number
serial_number- Type: String
- Description: Hardware serial number
- Example:
"ABCDEFGH","VMWARE-5310-G73B-01"
additional_attributes
additional_attributes- Type: Object
- Description: Additional hardware and system attributes
- Properties:
manufacturer: Hardware manufacturer (e.g.,"Microsoft Corporation","Lenovo","Dell Inc.","RICOH")model: Hardware model (e.g.,"Surface Laptop 4","ThinkPad X13 Yoga Gen 2","Precision 3630 Tower")build_number: OS build number (e.g.,"1889")service_pack: Service pack number (e.g.,0)system_sku: System SKU (e.g.,"Surface_Laptop_4_1978:1979","0871")version: OS version (e.g.,"20H2")trust_type: Trust type for Azure AD (e.g.,"ServerAd")status: Device status (e.g.,"normal")groups: Array of group memberships (e.g.,["Developers"])
Directory Service Attributes
active_directory_domain
active_directory_domain- Type: String
- Description: Active Directory domain name
- Example:
"bluth.co"
distinguished_name
distinguished_name- Type: String
- Description: LDAP distinguished name
- Example:
"cn=atdixfsua,ou=dpnqvufsta oz,ou=bluth dpnqvufsta,dc=bluth-dc,dc=com"
User Associations
associated_usernames
associated_usernames- Type: Array of Strings
- Description: Usernames associated with this device
- Example:
["nolalita.lubowitza", "terrellia.flateley"]
associated_users
associated_users- Type: Array of Objects
- Description: User objects associated with this device
- Properties:
username: Username string
owner
owner- Type: Object
- Description: Device owner information
- Properties:
id: Owner identifier
Security and Compliance
controls
controls- Type: Array of Strings
- Description: Security controls applied to this device
- Values:
"configuration_management","directory_service","endpoint_security" - Example:
["configuration_management", "directory_service", "endpoint_security"]
asset_classification
asset_classification- Type: Object
- Description: Asset classification information
- Properties:
category: Primary category (e.g.,"EnterpriseEndpoint")sub_category: Sub-category (can benull)
agent_version
agent_version- Type: String
- Description: Version of the monitoring/security agent installed
- Example:
"6.42.15610.0","1.0-40"
Geographic Information
geo_ip
geo_ip- Type: Object
- Description: Geographic location based on IP address
- Properties:
associated_ip: IP address used for geolocation (supports IPv4 and IPv6)city: City name (e.g.,"Chicago","Edinburgh","Singapore")country: Country name (e.g.,"United States","United Kingdom","Singapore")country_code: ISO country code (e.g.,"US","GB","SG")latitude: Latitude coordinatelongitude: Longitude coordinatelocality: State/province/region (e.g.,"Illinois","England","Scotland")region: Continental region (e.g.,"North America","Europe","Asia")
Source Information
sources
sources- Type: Array of Objects
- Description: Detailed information from each data source
- Properties:
source: Source system name (e.g.,"crowdstrike","automox")id: Source-specific identifiertype: Asset type (always"device")version: Source record version timestampconfig_id: Configuration ID for this sourcefirst_observed_timestamp: When first seen by this sourcelast_observed_timestamp: When last seen by this sourcelast_activity_timestamp: Last activity from this sourcelast_updated_time: Last time the source updated this recordagent_version: Agent version (if applicable)asset_type: Type of assetattributes: Source-specific attributes (follows same structure as main attributes)
Tags
tags
tags- Type: Array of Objects
- Description: Custom tags applied to the device
- Properties:
name: Tag namevalue: Array of tag values
- Example:
[
{"name": "critical-device", "value": []},
{"name": "laptops", "value": []},
{"name": "ExampleTag", "value": ["1"]},
]Event Information
When devices are updated or accessed, event information is included:
event
event- Type: Object
- Description: Event details for asset changes
- Properties:
asset_id: ID of the affected assetasset_type: Type of asset (always"device")asset_version: Version of the asset at time of eventconfig_id: Configuration ID related to the eventcorrelation_timestamp: Timestamp of the eventdeleted: Boolean indicating if asset was deletedevent_type: Type of event ("update","activity")source_id: Source system that generated the eventupdates: Array of changes madename: Name of the attribute updatedcurrent: Current valueprevious: Previous value
action
action- Type: String
- Description: Action performed
- Values:
"update","delete","activity"
Example Payload
This is only example data. Fields may differ depending on sources configured.
[
{
"asset": {
"asset_type": "device",
"attributes": {
"active_directory_domain": "bluth.co",
"additional_attributes": {
"manufacturer": "Microsoft Corporation",
"model": "Surface Laptop 4"
},
"asset_classification": {
"category": "EnterpriseEndpoint",
"sub_category": null
},
"associated_usernames": [
"nolalita.lubowitza",
"terrellia.flateley"
],
"controls": [
"configuration_management",
"directory_service",
"endpoint_security"
],
"distinguished_name": "cn=atdixfsuada,ou=dpnqvufstda oz,ou=bluth dpnqvufst,dc=bluth-dp,dc=com",
"external_ips": [
"1.1.1.1"
],
"fqdn": "atdixfsuada.bluth.co",
"geo_ip": {
"associated_ip": "1.1.1.1",
"city": null,
"country": "United States",
"country_code": "US",
"latitude": 37.751,
"locality": null,
"longitude": -97.822,
"region": "North America"
},
"hostname": "atdixfsuada",
"hostnames": [
"atdixfsuada"
],
"internal_ips": [
"10.10.23.65",
"10.42.21.105",
"10.42.21.32",
"10.42.22.124"
],
"ips": [
"10.10.23.65",
"10.42.21.105",
"10.42.21.32",
"10.42.22.124",
"1.1.1.1"
],
"mac_addresses": [
"02:FF:00:FF:32:01",
"80:6D:97:27:EA:A0",
"F4:26:79:B6:D1:2F",
"F4:26:79:B6:D1:33"
],
"mac_manufacturers": [
"Intel Corporate",
"Private"
],
"network_location": "OnPrem",
"os": "Windows 10 Enterprise 10.0.19042",
"os_end_of_life_timestamp": "2022-05-10T00:00:00Z",
"os_platform": "Windows",
"os_release": "Windows 10 Enterprise",
"os_version": "10.0.19042",
"serial_number": "07373997903-01"
},
"config_ids": [
"22222222-2222-2222-2222-222222222222",
"22222222-2222-2222-2222-222222222222",
"22222222-2222-2222-2222-222222222222",
"22222222-2222-2222-2222-222222222222",
"22222222-2222-2222-2222-222222222222",
"22222222-2222-2222-2222-222222222222",
"22222222-2222-2222-2222-222222222222"
],
"first_observed_timestamp": "2022-08-19T21:25:34.183832208Z",
"id": "00182068b08af7a464c31a4642084712",
"last_activity_timestamp": "2025-05-13T13:46:29.639623654Z",
"last_observed_timestamp": "2025-05-13T13:50:26.815242232Z",
"org_id": "22222222-2222-2222-2222-222222222222",
"source_ids": [
"automox",
"azure-ad",
"crowdstrike",
"illumio-core",
"lansweeper",
"malwarebytes-nebula",
"microsoft-ad"
],
"sources": [
{
"asset_type": "device",
"attributes": {
"active_directory_domain": "bluth.co",
"additional_attributes": {
"groups": [
"Mbqupqt OZ"
]
},
"asset_classification": {
"category": "EnterpriseEndpoint",
"sub_category": null
},
"controls": [
"directory_service"
],
"distinguished_name": "cn=atdixfsuada,ou=dpnqvufsta oz,ou=bluth dpnqvufst,dc=bluth-dp,dc=com",
"fqdn": "atdixfsuada.bluth.co",
"hostnames": [
"atdixfsuada"
],
"id": "S-1-5-21-371824371-9864271173-612421770-014143",
"last_updated_time": "2025-05-08T10:20:12.030011432Z",
"os": "Windows 10 Enterprise",
"os_end_of_life_timestamp": "2025-10-14T00:00:00Z",
"os_platform": "Windows",
"os_release": "Windows 10 Enterprise"
},
"config_id": "22222222-2222-2222-2222-222222222222",
"first_observed_timestamp": "2022-08-26T22:50:15.814665948Z",
"id": "S-1-5-21-371824370-0864271173-712421770-014143",
"last_activity_timestamp": "2025-05-08T10:20:12.030011432Z",
"last_observed_timestamp": "2025-05-13T13:50:26.815242232Z",
"source": "microsoft-ad",
"type": "device",
"version": "2023-08-26T17:19:42.144032351Z"
},
{
"asset_type": "device",
"attributes": {
"active_directory_domain": "bluth.co",
"asset_classification": {
"category": "EnterpriseEndpoint",
"sub_category": null
},
"associated_usernames": [
"nola.lubowitz"
],
"associated_users": [
{
"username": "nola.lubowitz"
}
],
"controls": [
"endpoint_security"
],
"fqdn": "atdixfsua.bluth.co",
"hostnames": [
"atdixfsua"
],
"id": "22222222-2222-2222-2222-222222222222",
"internal_ips": [
"10.42.21.32",
"10.10.23.65"
],
"ips": [
"10.42.21.32",
"10.10.23.65"
],
"mac_addresses": [
"02:FF:00:F0:32:00",
"80:6D:98:27:EA:00"
],
"mac_manufacturers": [
"Private"
],
"os": "Microsoft Windows 10 Enterprise",
"os_end_of_life_timestamp": "2025-10-14T00:00:00Z",
"os_platform": "Windows",
"os_release": "Windows 10 Enterprise"
},
"config_id": "22222222-2222-2222-2222-222222222222",
"first_observed_timestamp": "2022-08-19T21:26:11.672095041Z",
"id": "22222222-2222-2222-2222-222222222222",
"last_activity_timestamp": "2025-05-13T02:02:50.517778881Z",
"last_observed_timestamp": "2025-05-13T13:49:48.052942881Z",
"source": "malwarebytes-nebula",
"type": "device",
"version": "2023-08-31T09:02:50.715550126Z"
},
{
"asset_type": "device",
"attributes": {
"additional_attributes": {
"build_number": "1889",
"manufacturer": "Microsoft Corporation",
"model": "Surface Laptop 4",
"service_pack": 0,
"system_sku": "Surface_Laptop_4_1978:1979",
"version": "20H2"
},
"fqdn": "atdixfsuada.bluth.co",
"hostnames": [
"atdixfsua"
],
"id": "bluth\\atdixfsuada\\2",
"internal_ips": [
"10.42.21.105",
"10.42.22.124",
"10.10.23.65"
],
"ips": [
"10.42.21.105",
"10.42.22.124",
"10.10.23.65"
],
"last_updated_time": "2025-05-13T06:51:27.029222996Z",
"mac_addresses": [
"F4:26:70:B6:D1:00"
],
"mac_manufacturers": [
"Intel Corporate"
],
"network_location": "OnPrem",
"os": "Microsoft Windows 10 Enterprise",
"os_end_of_life_timestamp": "2025-10-14T00:00:00Z",
"os_platform": "Windows",
"os_release": "Windows 10 Enterprise",
"owner": {
"id": "ATdixfsua"
},
"serial_number": "07373997903-01"
},
"config_id": "22222222-2222-2222-2222-222222222222",
"first_observed_timestamp": "2022-09-01T17:42:58.468420471Z",
"id": "bluth\\atdixfsuada\\2",
"last_activity_timestamp": "2025-05-13T06:51:27.029222996Z",
"last_observed_timestamp": "2025-05-13T13:50:16.285140496Z",
"source": "lansweeper",
"type": "device",
"version": "2023-08-31T13:53:23.736294060Z"
},
{
"asset_type": "device",
"attributes": {
"asset_classification": {
"category": "EnterpriseEndpoint",
"sub_category": null
},
"controls": [
"endpoint_security"
],
"hostnames": [
"atdixfsuada"
],
"id": "22222222-2222-2222-2222-222222222222",
"internal_ips": [
"10.10.23.65",
"10.42.21.32"
],
"ips": [
"10.10.23.65",
"10.42.21.32"
],
"os": "Windows 10 Enterprise",
"os_end_of_life_timestamp": "2025-10-14T00:00:00Z",
"os_platform": "Windows",
"os_release": "Windows 10 Enterprise"
},
"config_id": "22222222-2222-2222-2222-222222222222",
"first_observed_timestamp": "2022-08-19T21:25:34.183832208Z",
"id": "22222222-2222-2222-2222-222222222222",
"last_activity_timestamp": "2025-05-13T13:46:29.639623654Z",
"last_observed_timestamp": "2025-05-13T13:49:54.661623654Z",
"source": "illumio-core",
"type": "device",
"version": "2023-08-31T20:46:51.200176296Z"
},
{
"asset_type": "device",
"attributes": {
"additional_attributes": {
"trust_type": "ServerAd"
},
"asset_classification": {
"category": "EnterpriseEndpoint",
"sub_category": null
},
"controls": [
"directory_service"
],
"hostnames": [
"atdixfsua"
],
"id": "22222222-2222-2222-2222-222222222222",
"last_updated_time": "2025-05-01T08:34:37.588215803Z",
"os": "Windows, 10.0.19042.1889",
"os_end_of_life_timestamp": "2022-05-10T00:00:00Z",
"os_platform": "Windows",
"os_release": "Windows 10",
"os_version": "10.0.19042.1889"
},
"config_id": "22222222-2222-2222-2222-222222222222",
"first_observed_timestamp": "2022-08-26T22:50:34.010560388Z",
"id": "22222222-2222-2222-2222-222222222222",
"last_activity_timestamp": "2025-05-01T08:34:37.588215803Z",
"last_observed_timestamp": "2025-05-13T12:49:48.056912825Z",
"source": "azure-ad",
"type": "device",
"version": "2025-02-13T17:34:54.649336965Z"
},
{
"agent_version": "6.42.15610.0",
"asset_type": "device",
"attributes": {
"active_directory_domain": "bluth.co",
"additional_attributes": {
"status": "normal"
},
"agent_version": "6.42.15610.0",
"asset_classification": {
"category": "EnterpriseEndpoint",
"sub_category": null
},
"controls": [
"endpoint_security"
],
"external_ips": [
"1.1.1.1"
],
"geo_ip": {
"associated_ip": "1.1.1.1",
"city": null,
"country": "United States",
"country_code": "US",
"latitude": 37.751,
"locality": null,
"longitude": -97.822,
"region": "North America"
},
"hostnames": [
"atdixfsuada"
],
"id": "0b85e319e31f5c3001dd9f595f18g615",
"internal_ips": [
"10.42.21.32"
],
"ips": [
"1.1.1.1",
"10.42.21.32"
],
"mac_addresses": [
"02:FF:01:FF:32:00"
],
"os": "Windows 10",
"os_end_of_life_timestamp": "2025-10-14T00:00:00Z",
"os_platform": "Windows",
"os_release": "Windows 10",
"serial_number": "07373997903-01"
},
"config_id": "22222222-2222-2222-2222-222222222222",
"first_observed_timestamp": "2022-08-19T21:25:53.575610534Z",
"id": "0b85e319e31f5c3001dd9f595f18g615",
"last_activity_timestamp": "2025-05-13T13:25:42.762805508Z",
"last_observed_timestamp": "2025-05-13T13:50:08.762805508Z",
"source": "crowdstrike",
"type": "device",
"version": "2025-04-01T19:25:36.312386093Z"
},
{
"agent_version": "1.0-40",
"asset_type": "device",
"attributes": {
"additional_attributes": {},
"agent_version": "1.0-40",
"asset_classification": {
"category": "EnterpriseEndpoint",
"sub_category": null
},
"associated_usernames": [
"terrellia.flateley"
],
"associated_users": [
{
"username": "terrellia.flateley"
},
{
"username": "terrellia.flateley"
}
],
"controls": [
"configuration_management",
"endpoint_security"
],
"external_ips": [
"1.1.1.1"
],
"fqdn": "atdixfsuada.bluth.co",
"geo_ip": {
"associated_ip": "1.1.1.1",
"city": null,
"country": "United States",
"country_code": "US",
"latitude": 37.751,
"locality": null,
"longitude": -97.822,
"region": "North America"
},
"hostnames": [
"atdixfsuada"
],
"id": "101749801",
"internal_ips": [
"10.10.23.65",
"10.42.21.32"
],
"ips": [
"64.124.210.133",
"10.10.23.65",
"10.42.21.32"
],
"mac_addresses": [
"F4:26:70:B6:D1:00",
"F4:26:70:B6:D1:00",
"02:FF:01:FF:32:00",
"80:6D:98:27:EA:00"
],
"mac_manufacturers": [
"Intel Corporate",
"Private"
],
"os": "Windows 10 Enterprise 10.0.19042",
"os_end_of_life_timestamp": "2022-05-10T00:00:00Z",
"os_platform": "Windows",
"os_release": "Windows 10 Enterprise",
"os_version": "10.0.19042",
"serial_number": "07373997903-01"
},
"config_id": "22222222-2222-2222-2222-222222222222",
"first_observed_timestamp": "2022-08-19T21:26:02.495033695Z",
"id": "101749801",
"last_activity_timestamp": "2025-05-13T11:07:05.899639533Z",
"last_observed_timestamp": "2025-05-13T13:50:20.899639533Z",
"source": "automox",
"type": "device",
"version": "2025-05-13T11:07:05.899639533Z"
}
],
"tags": [
{
"name": "critical-device",
"value": []
},
{
"name": "laptops",
"value": []
},
{
"name": "ExampleTag",
"value": [
"1"
]
}
],
"version": "2025-05-13T13:51:27.865431317Z"
},
"event": {
"asset_id": "101749801",
"asset_type": "device",
"asset_version": "2025-05-13T11:07:05.899639533Z",
"config_id": "22222222-2222-2222-2222-222222222222",
"correlation_timestamp": "2025-05-13T13:51:27.865431317Z",
"deleted": false,
"event_type": "update",
"source_id": "automox",
"updates": [
{
"current": {},
"name": "additional_attributes",
"previous": null
}
]
},
"action": "update"
}
]Updated 1 day ago