Network Fields
editNetwork Fields
editThe network is defined as the communication path over which a host or network event happens.
The network.* fields should be populated with details about the network activity associated with an event.
Network Field Details
edit| Field | Description | Level |
|---|---|---|
|
When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application’s or service’s name. For example, the original event identifies the network connection being from a specific web service in a The field value must be normalized to lowercase for querying. type: keyword example: |
extended |
|
|
Total bytes transferred in both directions. If type: long example: |
core |
|
|
A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. type: keyword example: |
extended |
|
|
Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host’s point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. Expected values for this field:
type: keyword example: |
core |
|
|
Host IP address when the source IP address is the proxy. type: ip example: |
core |
|
|
IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. type: keyword example: |
extended |
|
|
Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) type: object |
extended |
|
|
Name given by operators to sections of their network. type: keyword example: |
extended |
|
|
Total packets transferred in both directions. If type: long example: |
core |
|
|
In the OSI Model this would be the Application Layer protocol. For example, The field value must be normalized to lowercase for querying. type: keyword example: |
core |
|
|
Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. type: keyword example: |
core |
|
|
In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. type: keyword example: |
core |