
Fleet
Asset Management- Overview
- Setup
- Data & mappings
- Operations & API
- Changelog
The Fleet Connector integrates with Fleet (FleetDM), an open-source device management and osquery-based platform. It synchronizes managed device inventory and the software they run, along with the vulnerabilities affecting that software. The connector retrieves the following data:
- Hosts — enrolled devices with their hardware, operating system, MDM, disk, and status details.
- Packages — distinct software versions discovered across the fleet.
- Installed Packages — the association of a specific software version installed on a specific host.
- Vulnerabilities — findings linking a host and an installed software version to a known CVE.
- Vulnerability Definitions — CVE-level detail (CVSS score, EPSS, CISA known-exploited status, references).
Hosts are retrieved with their software populated (populate_software=true); the package, installed-package, vulnerability, and vulnerability-definition models are all derived from the host payload. Pages are fetched in parallel and host records are buffered in a local key-value store during a sync so multiple host-derived models can be produced from a single retrieval.
Data retrieved from Fleet
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Host | Yes | Host |
| Package | Yes | Package |
| Installed Package | Yes | Installed Package |
| Vulnerability | Yes | Vulnerability |
| Vulnerability Definition | Yes | Vulnerability Definition |
Model relationships
For detailed steps on how to view the data retrieved from Fleet in the Brinqa Platform, see How to view your data.
Connection settings
When setting up a data integration, select Fleet from the Connector dropdown and provide the following:
| Setting | Required | Default | Description |
|---|---|---|---|
| API URL | Yes | — | Fleet API URL |
| API token | Yes | — | Fleet API token |
| Page size | No | 100 | Maximum number of records to get per API request |
| Parallel requests | No | min(4, available processors) | The maximum number of parallel API requests |
| Maximum retries | No | 5 | The maximum number of retry attempts before giving up a request |
| Requests per minute | No | 1800 | The maximum number of api requests per minute. Enter 0 to disable rate limiting. |
Authentication
Fleet uses a Bearer API token. The token is supplied as the apiToken configuration property and sent as an Authorization: Bearer <token> header on every request. There is no separate login/token-exchange call — the configured token is used directly.
Connectivity Test Endpoint
| Method | URL |
|---|---|
| GET | {url}/api/v1/fleet/hosts?page=0&per_page=1 |
Request Headers
| Header | Value |
|---|---|
Authorization | Bearer {apiToken} |
Accept | application/json |
Sample Response
A successful connectivity test returns a hosts payload:
{
"hosts": [
{
"id": 1,
"uuid": "4c4c4544-005a-3910-8031-b5c04f334733",
"hostname": "host-01",
"platform": "ubuntu",
"os_version": "Ubuntu 22.04.3 LTS",
"status": "online"
}
]
}
How the Credential Is Used
The connector reads the apiToken (a confidential GuardedString) and attaches it as the Authorization: Bearer <token> header to every subsequent API request. No token caching or refresh is performed.
How to obtain Fleet credentials
Generate a Fleet API token
For the Fleet connector to retrieve data from the Fleet REST API, you must provide an API token. To do so, follow these steps:
-
Log in to your organization's Fleet account as an administrator.
-
Click the profile photo and then click My account from the dropdown.
-
Click Get API token.
Your new API token displays. You can not view the token again after this. Copy and save it to a secure location.

-
Click Done.
Info: While any user can create API tokens to retrieve data from the Fleet API, Fleet recommends creating an API-only user, as tokens for regular users frequently expire, which can cause disruptions in your workflows. Additionally, the API-only user is assigned the Observer role by default, which is the minimum role required for API access. Fleet Premium customers can also assign team-level access for stricter access. For additional information, see Fleet documentation.
Note: If you do not have permissions to create an API token, contact your Fleet administrator. For additional information, see Fleet documentation.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes:
Host
| Source Field Name | SDM Attribute |
|---|---|
constant | CATEGORIES |
derived | NAME |
derived | DESCRIPTION |
derived from HostResource.status | STATUS_CATEGORY |
HostResource.build | BUILD |
HostResource.code_name | CODE_NAME |
HostResource.computer_name | COMPUTER_NAME |
HostResource.config_tls_refresh | CONFIG_TLS_REFRESH |
HostResource.cpu_brand | CPU_BRAND |
HostResource.cpu_logical_cores | CPU_LOGICAL_CORES |
HostResource.cpu_physical_cores | CPU_PHYSICAL_CORES |
HostResource.cpu_subtype | CPU_SUBTYPE |
HostResource.cpu_type | CPU_TYPE |
HostResource.created_at | SOURCE_CREATED_DATE |
HostResource.detail_updated_at | DETAIL_UPDATED_AT |
HostResource.display_name | DISPLAY_NAME |
HostResource.display_text | DISPLAY_TEXT |
HostResource.distributed_interval | DISTRIBUTED_INTERVAL |
HostResource.gigs_disk_space_available | GIGS_DISK_SPACE_AVAILABLE |
HostResource.hardware_model | HARDWARE_MODEL |
HostResource.hardware_serial | SERIAL_NUMBER |
HostResource.hardware_vendor | HARDWARE_VENDOR |
HostResource.hardware_version | HARDWARE_VERSION |
HostResource.hostname | HOSTNAMES |
HostResource.issues.failing_policies_count | FAILING_POLICIES_COUNT |
HostResource.issues.total_issues_count | TOTAL_ISSUES_COUNT |
HostResource.label_updated_at | LABEL_UPDATED_AT |
HostResource.last_enrolled_at | LAST_ENROLLED_AT |
HostResource.logger_tls_period | LOGGER_TLS_PERIOD |
HostResource.mdm.encryption_key_available | ENCRYPTION_KEY_AVAILABLE |
HostResource.mdm.enrollment_status | ENROLLMENT_STATUS |
HostResource.mdm.name | MDM_NAME |
HostResource.mdm.server_url | SERVER_URL |
HostResource.memory | MEMORY |
HostResource.os_version | OPERATING_SYSTEM |
HostResource.osquery_version | OSQUERY_VERSION |
HostResource.pack_stats | PACK_STATS |
HostResource.percent_disk_space_available | PERCENT_DISK_SPACE_AVAILABLE |
HostResource.platform | PLATFORM |
HostResource.platform_like | PLATFORM_LIKE |
HostResource.policy_updated_at | POLICY_UPDATED_AT |
HostResource.primary_ip | PRIVATE_IP_ADDRESSES |
HostResource.primary_mac | MAC_ADDRESSES |
HostResource.public_ip, HostResource.primary_ip | IP_ADDRESSES |
HostResource.public_ip, HostResource.primary_ip | PUBLIC_IP_ADDRESSES |
HostResource.refetch_critical_queries_until | REFETCH_CRITICAL_QUERIES_UNTIL |
HostResource.refetch_requested | REFETCH_REQUESTED |
HostResource.seen_time | LAST_SEEN |
HostResource.software_updated_at | SOFTWARE_UPDATED_AT |
HostResource.status | SOURCE_STATUS |
HostResource.status | STATUS |
HostResource.status | PROVIDER_STATUS |
HostResource.team_id | TEAM_ID |
HostResource.team_name | TEAM_NAME |
HostResource.updated_at | SOURCE_LAST_MODIFIED |
HostResource.uptime | UPTIME |
HostResource.uuid | UID |
Package
| Source Field Name | SDM Attribute |
|---|---|
constant | CATEGORIES |
derived | UID |
derived | DESCRIPTION |
SoftwareVersion.arch | ARCH |
SoftwareVersion.generated_cpe | AFFECTED |
SoftwareVersion.hosts_count | HOSTS_COUNT |
SoftwareVersion.name | NAME |
SoftwareVersion.release | RELEASE |
SoftwareVersion.source | SOURCE |
SoftwareVersion.vendor | VENDOR |
SoftwareVersion.version | CURRENT_VERSION |
SoftwareVersion.vulnerabilities[].cve | CVE_IDS |
Installed Package
| Source Field Name | SDM Attribute |
|---|---|
derived | UID |
derived | DESCRIPTION |
derived | TYPE |
HostResource.uuid | TARGETS |
SoftwareVersion.installed_paths | INSTALLED_PATHS |
SoftwareVersion.installed_paths[0] | INSTALL_PATH |
SoftwareVersion.name | NAME |
SoftwareVersion.version | CURRENT_VERSION |
Vulnerability
| Source Field Name | SDM Attribute |
|---|---|
constant | STATUS |
derived | UID |
derived | TYPE |
derived | TARGETS |
derived | STATUS_CATEGORY |
derived | RESULTS |
Vulnerability Definition
| Source Field Name | SDM Attribute |
|---|---|
derived | UID |
derived | NAME |
VulnerabilityResource.cisa_known_exploit | CISA_EXPLOITED |
VulnerabilityResource.cve | CVE_IDS |
VulnerabilityResource.cve | CVE_RECORDS |
VulnerabilityResource.cve_description | DESCRIPTION |
VulnerabilityResource.cve_published | PUBLISHED_DATE |
VulnerabilityResource.cvss_score | CVSS_V3_BASE_SCORE |
VulnerabilityResource.details_link | REFERENCES |
VulnerabilityResource.epss_probability | EPSS_PERCENTILE |
VulnerabilityResource.resolved_in_version | FIXED_VERSION |
Operations & API
Expand each connector object to see its operation options, delta-sync behavior, and the API it uses. See connector operation options for how to apply operation options (keys and values are case-sensitive).
Host
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST endpoint · Endpoint:
GET /api/v1/fleet/hosts - Default filters:
populate_software=true
Package
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST endpoint · Endpoint:
GET /api/v1/fleet/software/versions
Installed Package
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST endpoint · Endpoint:
GET /api/v1/fleet/hosts - Default filters:
populate_software=true
Vulnerability
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST endpoint · Endpoint:
GET /api/v1/fleet/hosts - Default filters:
populate_software=true
Vulnerability Definition
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST endpoint · Endpoint:
GET /api/v1/fleet/hosts - Default filters:
populate_software=true
Changelog
The Fleet connector has undergone the following changes:
| Version | Description | Migration Steps |
|---|---|---|
| 3.1.4 | Bug Fixes - Hosts that are returned without a unique identifier are now safely skipped and logged instead of interrupting the sync, improving reliability when the source system returns incomplete host records. | N/A |
| 3.1.3 | Improvements - Page size can now be configured independently per object type, giving finer control over how many records are requested for each data set. | N/A |
| 3.1.2 | Improvements - Parallel request and page size limits can now be set independently per object type, allowing performance to be tuned for each data set. - Vulnerability findings now link to both the affected host and the specific installed software, providing clearer context for where a vulnerability applies. | N/A |
| 3.1.1 | New Features - Vulnerability Definitions now include the fixed version, making it easier to identify the software release that resolves each vulnerability. | N/A |
| 3.1.0 | New Features - Added API rate limiting controls, including configurable requests-per-minute and automatic retry of throttled requests, to keep syncs within the source system's limits. Improvements - Reworked host data collection to reduce the number of API calls and improve sync stability against large fleets. - Hosts are now identified by their stable UUID, producing consistent identifiers across syncs. | • Host: The unique identifier for hosts changed from the numeric host ID to the host UUID. Existing host data must be purged and re-synced so hosts are re-keyed and downstream relationships are rebuilt correctly. — Action: purge and re-sync |
| 3.0.0 | Overview The Fleet connector integrates with Fleet to synchronize device hosts, installed software packages, and the vulnerabilities affecting them. Category: Asset Management Models | N/A |