IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

› ›

Network Fields

edit

Network Fields

edit

The network is defined as the communication path over which a host or network event happens.

The network.* fields should be populated with details about the network activity associated with an event.

Network Field Details

edit

Field	Description	Level
network.application	A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". type: keyword example: `aim`	extended
network.bytes	Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. type: long example: `368`	core
network.community_id	A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. type: keyword example: `1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=`	extended
network.direction	Direction of the network traffic. Recommended values are: * inbound * outbound * internal * external * unknown When mapping events from a host-based monitoring context, populate this field from the host’s point of view. When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of your network perimeter. type: keyword example: `inbound`	core
network.forwarded_ip	Host IP address when the source IP address is the proxy. type: ip example: `192.1.1.2`	core
network.iana_number	IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. type: keyword example: `6`	extended
network.inner	Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) type: object	extended
network.name	Name given by operators to sections of their network. type: keyword example: `Guest Wifi`	extended
network.packets	Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. type: long example: `24`	core
network.protocol	L7 Network protocol name. ex. http, lumberjack, transport protocol. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". type: keyword example: `http`	core
network.transport	Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". type: keyword example: `tcp`	core
network.type	In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". type: keyword example: `ipv4`	core

Field Reuse

edit

Field sets that can be nested under Network

edit

Nested fields	Description
network.inner.vlan.*	Fields to describe observed VLAN information.
network.vlan.*	Fields to describe observed VLAN information.

« Log Fields Observer Fields »