Skip to main content



JupiterOne normalizes ingested asset data for devices and represents them as a single device within the Device view. To access the Device view, navigate to the Assets tab in JupiterOne and select the device icon in the top right of the asset table.

JupiterOne Devices view

Currently, JupiterOne ingests and normalizes data for the following device types:

  • Servers
  • Laptops
  • Workstations
  • Mobile devices

Device data normalization and consolidation

With the introduction of Devices, we now normalize data relating to devices. These changes apply to all entities from any _type in the _class=Device:

  1. Mac address normalization: Converts and collects MAC addresses of various formats to uppercase, colon delineated, into an array of MAC addresses associated with the device (macAddress)
  2. Vendor/make/manufacturer normalization: Pulls various fields to a single field and normalizes values (make)
    • MAC Address to vendor OUI Normalization: Converts MAC addresses to vendor where the MAC address of a devices matches an IEEE registered OUI
  3. Operating system name/family/type: Normalizes operating systems from various formats and properties (osType)
  4. Operating system version: Normalizes OS version numbers from various formats and properties (osVersion)
  5. Encryption status: Normalizes the encryption status (boolean) of a consolidated device (encryptionStatus)
  6. Serials: Normalizes and collects serial numbers into an array of serials associated with the device (serials)

In addition to the normalization of data, the Device Matrix introduces the consolidation of devices from source integrations. Today the consolidation logic will consolidate on the below Device properties if they match between devices:

  1. MAC Address macAddress
  2. Serial serials
  3. Azure AD Device ID (O365, AzureAD, and MS Defender specific)

You may see a preview of these normalizations in new, temporary properties with a j1_ prefix. These will be removed and the normalized values will be available in the base field. Some saved queries or rules may be affected. Our goal is to make your queries simpler and more accurate.

For more information see Entity Property Normalization

Data sources table

The data sources section showcases the integrations configured within your devices view for which data is being populated within the devices table. By toggling a data source, you can remove or populate that integration's device data within the table view. Each data source is represented as its own column within the table. By enabling a data source, you will append that data source's column on the table, and disabling a data source will remove that source's column from the table.

For example, if you have Automox and Microsoft integrations ingesting device assets, your device table would include devices associated to Automox, Microsoft, and both. To only view devices related to Automox, you could deselect Microsoft within the Data Sources panel, leaving only devices relating to Automox.

Device management

Much like our assets view, the device table supports a variety of actions that enable you to adjust the table and results to make meaningful discoveries. Most actions are found under the three dot icon found at the top right of the devices table.

Device properties panel

Selecting a device from within the table will bring up the device's property panel. This panel showcases all the different devices and their associated properties that make up the consolidated device. From here, you can also view the graph of the device, where you'll find each of the properties that it is comprised of, allowing you to explore the blast radius of each property.

Filter panel

You can filter the results within your device view a variety of ways, and the filtering panel on the left of the table provides a quick way to sort your data based on a variety of pre-configured filters:

  • Operating system type
  • Operating system version
  • Last seen date
  • Tags
  • Device Encryption

From within the devices view, you are able to query the table via the search bar in order to filter down results to desired information. For example, you could search for a particular device, MAC address, or


At this point, querying your devices is limited to the full-text search. Querying your devices with J1QL is not supported.

Column selection

In addition to the table columns populated by each data source, you can add and remove additional columns in the table by accessing the three dots in the top right corner of the table and selecting Column selector

Heat map

The heat map allows you to visually assess the severity rankings of the duration of a particular device being last seen by a data source. The heat map is displayed within the Last seen column of the devices table.

JupiterOne Devices Heat Map

Modify heat map

The heat map can be adjusted to suit your particular SLA, and is completely customizable. By clicking the three dots in the upper right of the table view and selecting Heat map settings, you are able to change and update the default heat map values. You can specify durations, their corresponding color on the table, and even add additional rules to expand the amount of heat map classifications on the device table.

Data Source Authority

With any device value that may show up as an array with multiple different values across integrations (such as a device display name), you are able to designate a specific integration as the highest authority to inform JupiterOne that the values for the designated data source authority should override other integration values and be displayed. You can access Data Source Authority configuration by selecting the three dots in the upper right-hand corner of the devices table.

This is configured in a ranking order, giving highest precedent to the primary designated data source. For example, if you want to utilize the Automox device property values, you would provide Automox the Highest authority value. Any data source ranked below Highest would only be populated should the ranking source above it in priority not provide that particular value.

Save as CSV

You are able to export your device list/table as a CSV be selecting the Save as button in the top-right of the device table. From there, you will be prompted to download the file.

Unified Device in the J1 Graph

Data Model and Property Schema

The unified_device is a new added type of the class Device. This new entity is created as a bridge entity of all the HostAgent, Device, and Record entities that follow the consolidation schema described here. It is important to note that if you are running Device class queries regularly you will be seeing more Device entities that will be attributed to the unified_device.

It is important to note that you are able to control the naming convention and properties shown on the unified_device by establishing a data source authority in the Unified Device Matrix - more here

Below is the data-model for how these entities are connected in the J1 Graph. Using the data model you can start to build Device queries across all of your Device inventory:

  • HostAgent PROTECTS unified_device
  • Device IS unified_device
  • Record IS unified_device

Here is an Image to represent what these Devices look like in the J1 Graph:

Unified Device in the Graph

Currently the consolidation to generate the unified_device is run daily.

Query Examples

The purpose of the unified_device is build a connective bridge to help you answer all of your device configuration across all of your security tools on your devices. See below for just a few ways you can query your device inventory outside of the Unified Device Matrix

Agent Coverage:
Find addigy_hostagent that PROTECTS unified_device that !PROTECTS sentinelone_agent
Find automox_device that IS unified_device that !PROTECTS crowdstrike_sensor

MDM Coverage:
FIND google_device THAT IS unified_device THAT !PROTECTS addigy_hostagent

Vuln Scanning Coverage:
Find user_endpoint THAT IS unified_device THAT !IS tenable_record

Host Agents Not Operating Correctly:
FIND sentinelone_agent WITH lastSeenOn < AS a THAT PROTECTS unified_device WITH lastSeenOn >

Unknown AD managed Device:
Find user_endpoint THAT IS unified_device THAT !IS azure_device