Endpoint Inventory Schema

[randomuserid]

This is the working schema for the inventory events:

OpenDR Log Fields July 2025:

Autorun Logs

Field	Description	Notes
timestamp	Log entry timestamp	Timestamp when the autorun entry was logged (YYYY-MM-DD HH:MM:SS format)
hostname	System hostname	Name of the system where the autorun entry was detected
event	Event type	Type of autorun event (e.g., autorun, created, modified, deleted)
source	Source of the event	Location of the autorun entry (e.g., HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce)
entry	Event entry name	Name of the autorun entry or program
path	Path associated with the event	Full path to the executable or command that will be run
sid	Security Identifier	Security Identifier of the user or system associated with the autorun entry
ec2_instance_id	EC2 instance ID	EC2 instance ID if running in AWS environment, otherwise 'No instance ID'

Endpoint Logs

Field	Description	Notes
timestamp	Log entry timestamp	Timestamp when the endpoint entry was logged (YYYY-MM-DD HH:MM:SS format)
hostname	System hostname	Name of the system where the endpoint entry was detected
private_ips	Private IP addresses	Private IP addresses associated with the endpoint
public_ip	Public IP address	Public IP address associated with the endpoint
computer_sid	Computer Security Identifier	Security Identifier of the computer associated with the endpoint
ec2_instance_id	EC2 instance ID	EC2 instance ID if running in AWS environment, otherwise 'No instance ID'

Device Driver Logs

Field	Description	Notes
timestamp	Log entry timestamp	Timestamp when the device driver entry was logged (YYYY-MM-DD HH:MM:SS format)
hostname	System hostname	Name of the system where the device driver entry was detected
event	Event type	Type of device driver event (e.g., existing driver, new driver)
desc	Driver description	Description of the device driver
signer	Driver signer	Signer of the device driver
class_guid	Class GUID	GUID of the device driver class
compat_id	Compatibility ID	Compatibility ID of the device driver
device_class	Device class	Class of the device associated with the driver
device_id	Device ID	ID of the device associated with the driver
device_name	Device name	Name of the device associated with the driver
driver_provider	Driver provider	Provider of the device driver
driver_version	Driver version	Version of the device driver
friendly_name	Friendly name	Friendly name of the device driver
hardware_id	Hardware ID	ID of the hardware associated with the driver
inf_name	INF file name	Name of the INF file associated with the driver
is_signed	Signed status	Signed status of the device driver
manufacturer	Manufacturer	Manufacturer of the device associated with the driver
pdo	Physical Device Object	Physical Device Object associated with the driver
sid	Security Identifier	Security Identifier of the user or system associated with the device driver
ec2_instance_id	EC2 instance ID	EC2 instance ID if running in AWS environment, otherwise 'No instance ID'

Hotfix Logs

Field	Description	Notes
timestamp	Log entry timestamp	Timestamp when the hotfix entry was logged (YYYY-MM-DD HH:MM:SS format)
name	Hotfix name	Name of the hotfix (KB number)
hostname	System hostname	Name of the system where the hotfix entry was detected
username	User who installed	User who installed the hotfix
description	Hotfix description	Description of the hotfix
event	Event type	Type of hotfix event (e.g., hotfix, installed)
sid	Security Identifier	Security Identifier of the user or system associated with the hotfix

Scheduled Task Logs

Field	Description	Notes
timestamp	Log entry timestamp	Timestamp when the scheduled task entry was logged (YYYY-MM-DD HH:MM:SS format)
hostname	System hostname	Name of the system where the scheduled task entry was detected
event	Event type	Type of scheduled task event (e.g., scheduled_task, created, modified, deleted)
task_name	Task name	Name of the scheduled task
status	Task status	Status of the scheduled task
last_run	Last run time	Last time the scheduled task was run
next_run	Next run time	Next time the scheduled task will be run
task_to_run	Task executable	Executable or command that will be run by the scheduled task
schedule	Schedule information	Schedule information for the task (e.g., daily, weekly)
author	Task author	Author of the scheduled task
start_time	Start time	Start time of the scheduled task
sid	Security Identifier	Security Identifier of the user or system associated with the scheduled task
ec2_instance_id	EC2 instance ID	EC2 instance ID if running in AWS environment, otherwise 'No instance ID'

Installed Software Logs

Field	Description	Notes
timestamp	Log entry timestamp	Timestamp when the installed software entry was logged (YYYY-MM-DD HH:MM:SS format)
hostname	System hostname	Name of the system where the installed software entry was detected
program	Program name	Name of the installed program
version	Program version	Version of the installed program
instanceid	Instance ID	Instance ID of the installed program
sid	Security Identifier	Security Identifier of the user or system associated with the installed software

Windows Services Logs

Field	Description	Notes
timestamp	Log entry timestamp	Timestamp when the Windows service entry was logged (YYYY-MM-DD HH:MM:SS format)
hostname	System hostname	Name of the system where the Windows service entry was detected
username	Service owner	Owner of the Windows service
pid	Process ID	Process ID of the Windows service
servicename	Service name	Name of the Windows service
displayname	Service display name	Display name of the Windows service
status	Service status	Status of the Windows service
start	Start type	Start type of the Windows service (e.g., automatic, manual)
executable	Executable path	Path to the executable of the Windows service
sid	Security Identifier	Security Identifier of the user or system associated with the Windows service

[randomuserid]

Here is a field normalization for the inventory events that gets us to 15 fields. Other platforms should be ok with these fields. I have excluded a few fields that are present in the raw log files that are not super important. We can skip them when shipping events to the database from the log files. I excluded endpoint events here b/c we can put these into the systemevents table.

Normalized Field:	Autoruns	Drivers	Tasks	Services	Software	Hotfixes
timestamp	timestamp	timestamp	timestamp	timestamp	timestamp	timestamp
hostname	hostname	hostname	hostname	hostname	hostname	hostname
user	user		author	username		username
event	event	event	event	event		event
identifier		device_id		pid	instanceid	sid
name	source	friendly_name	task_name	displayname	program	name
image	path	pdo		executable
status		is_signed	status	status
state			schedule	start
description	entry	desc	task_to_run	servicename		description
vendor		signer
version		driver_version			version
guid	sid	sid	sid	sid	sid	sid
ec2_instance_id	ec2_instance_id	ec2_instance_id	ec2_instance_id	ec2_instance_id	ec2_instance_id	ec2_instance_id