Network Fields¶
All network details go here, including sub-messages with details on each protocol (e.g., DHCP, DNS, HTTP, etc).
Network Field Details¶
network.application_protocol¶
Description: The application protocol.
Type: Enum
| Enum | Description |
|---|---|
| UNKNOWN_APPLICATION_PROTOCOL | The default application protocol. |
| AFP | Apple Filing Protocol. |
| APPC | Advanced Program-to-Program Communication. |
| AMQP | Advanced Message Queuing Protocol. |
| ATOM | Publishing Protocol. |
| BEEP | Block Extensible Exchange Protocol. |
| BITCOIN | Crypto currency protocol. |
| BIT_TORRENT | Peer-to-peer file sharing. |
| CFDP | Coherent File Distribution Protocol. |
| COAP | Constrained Application Protocol. |
| DCERPC | DCE/RPC. |
| DDS | Data Distribution Service. |
| DEVICE_NET | Automation industry protocol. |
| DHCP | DHCP. |
| DNS | DNS. |
| E_DONKEY | Classic file sharing protocol. |
| ENRP | Endpoint Handlespace Redundancy Protocol. |
| FAST_TRACK | Filesharing peer-to-peer protocol. |
| FINGER | User Information Protocol. |
| FREENET | Censorship resistant peer-to-peer network. |
| FTAM | File Transfer Access and Management. |
| GOPHER | Gopher protocol. |
| HL7 | Health Level Seven. |
| H323 | Packet-based multimedia communications system. |
| HTTP | HTTP. |
| HTTPS | HTTPS. |
| IRCP | Internet Relay Chat Protocol. |
| KADEMLIA | Peer-to-peer hashtables. |
| KRB5 | Kerberos 5. |
| LDAP | Lightweight Directory Access Protocol. |
| LPD | Line Printer Daemon Protocol. |
| MIME | Multipurpose Internet Mail Extensions and Secure MIME. |
| MODBUS | Serial communications protocol. |
| MQTT | Message Queuing Telemetry Transport. |
| NETCONF | Network Configuration. |
| NFS | Network File System. |
| NIS | Network Information Service. |
| NNTP | Network News Transfer Protocol. |
| NTCIP | National Transportation Communications for Intelligent Transportation System. |
| NTP | Network Time Protocol. |
| OSCAR | AOL Instant Messenger Protocol. |
| PNRP | Peer Name Resolution Protocol. |
| QUIC | QUIC. |
| RDP | Remote Desktop Protocol. |
| RELP | Reliable Event Logging Protocol. |
| RIP | Routing Information Protocol. |
| RLOGIN | Remote Login in UNIX Systems. |
| RPC | Remote Procedure Call. |
| RTMP | Real Time Messaging Protocol. |
| RTP | Real-time Transport Protocol. |
| RTPS | Real Time Publish Subscribe. |
| RTSP | Real Time Streaming Protocol. |
| SAP | Session Announcement Protocol. |
| SDP | Session Description Protocol. |
| SIP | Session Initiation Protocol. |
| SLP | Service Location Protocol. |
| SMB | Server Message Block. |
| SMTP | Simple Mail Transfer Protocol. |
| SNTP | Simple Network Time Protocol. |
| SSH | Secure Shell. |
| SSMS | Secure SMS Messaging Protocol. |
| STYX | Styx/9P - Plan 9 from Bell Labs distributed file system protocol. |
| TCAP | Transaction Capabilities Application Part. |
| TDS | Tabular Data Stream. |
| TOR | Anonymity network. |
| TSP | Time Stamp Protocol. |
| VTP | Virtual Terminal Protocol. |
| WHOIS | Remote Directory Access Protocol. |
| WEB_DAV | Web Distributed Authoring and Versioning. |
| X400 | Message Handling Service Protocol. |
| X500 | Directory Access Protocol (DAP). |
| XMPP | Extensible Messaging and Presence Protocol. |
network.application_protocol_version¶
Description: The version of the application protocol. e.g. "1.1, 2.0"
Type: String
network.asn¶
Description: Autonomous system number.
Type: String
network.carrier_name¶
Description: Carrier identification.
Type: String
network.community_id¶
Description: Community ID network flow hash.
Type: String
network.dhcp.chaddr¶
Description: Client hardware address (chaddr).
Type: String
network.dhcp.ciaddr¶
Description: Client IP address (ciaddr).
Type: String
network.dhcp.client_hostname¶
Description: Client hostname. See RFC2132, section 3.14.
Type: String
network.dhcp.client_identifier¶
Description: Client identifier. See RFC2132, section 9.14.
Type: String
network.dhcp.file¶
Description: Boot image filename.
Type: String
network.dhcp.flags¶
Description: Flags.
Type: Integer
network.dhcp.giaddr¶
Description: Relay agent IP address (giaddr).
Type: String
network.dhcp.hlen¶
Description: Hardware address length.
Type: Integer
network.dhcp.hops¶
Description: Hardware ops.
Type: Integer
network.dhcp.htype¶
Description: Hardware address type.
Type: Integer
network.dhcp.lease_time_seconds¶
Description: Lease time in seconds. See RFC2132, section 9.2.
Type: Integer
network.dhcp.opcode¶
Description: The BOOTP op code.
Type: Enum
| Enum | Description |
|---|---|
| UNKNOWN_OPCODE | Default opcode. |
| BOOTREQUEST | Request. |
| BOOTREPLY | Reply. |
network.dhcp.options[n].code¶
Description: Code. See RFC1533.
Type: Integer
network.dhcp.options[n].data¶
Description: Data.
Type: String
network.dhcp.options¶
Description: List of DHCP options.
Type: Array
network.dhcp.requested_address¶
Description: Requested IP address. See RFC2132, section 9.1.
Type: String
network.dhcp.seconds¶
Description: Seconds elapsed since client began address acquisition/renewal process.
Type: Integer
network.dhcp.siaddr¶
Description: IP address of the next bootstrap server.
Type: String
network.dhcp.sname¶
Description: Server name that the client wishes to boot from.
Type: String
network.dhcp.transaction_id¶
Description: Transaction ID.
Type: Integer
network.dhcp.type¶
Description: DHCP message type.
Type: Enum
| Enum | Description |
|---|---|
| UNKNOWN_MESSAGE_TYPE | Default message type. |
| DISCOVER | DHCPDISCOVER. |
| OFFER | DHCPOFFER. |
| REQUEST | DHCPREQUEST. |
| DECLINE | DHCPDECLINE. |
| ACK | DHCPACK. |
| NAK | DHCPNAK. |
| RELEASE | DHCPRELEASE. |
| INFORM | DHCPINFORM. |
| WIN_DELETED | Windows DHCP "lease deleted". |
| WIN_EXPIRED | Windows DHCP "lease expired". |
network.dhcp.yiaddr¶
Description: Your IP address (yiaddr).
Type: String
network.direction¶
Description: The direction of network traffic.
Type: Enum
| Enum | Description |
|---|---|
| UNKNOWN_DIRECTION | The default direction. |
| INBOUND | An inbound request. |
| OUTBOUND | An outbound request. |
| BROADCAST | A broadcast. |
network.dns.additional[n].binary_data¶
Description: The raw bytes of any non-UTF8 strings that might be included as part of a DNS response.
Type: String
network.dns.additional[n].class¶
Description: The code specifying the class of the resource record.
Type: Integer
network.dns.additional[n].data¶
Description: The payload or response to the DNS question for all responses encoded in UTF-8 format
Type: String
network.dns.additional[n].name¶
Description: The name of the owner of the resource record.
Type: String
network.dns.additional[n].ttl¶
Description: The time interval for which the resource record can be cached before the source of the information should again be queried.
Type: Integer
network.dns.additional[n].type¶
Description: The code specifying the type of the resource record.
Type: Integer
network.dns.additional¶
Description: A list of additional domain name servers that can be used to verify the answer to the domain.
Type: Array
network.dns.answers[n].binary_data¶
Description: The raw bytes of any non-UTF8 strings that might be included as part of a DNS response.
Type: String
network.dns.answers[n].class¶
Description: The code specifying the class of the resource record.
Type: Integer
network.dns.answers[n].data¶
Description: The payload or response to the DNS question for all responses encoded in UTF-8 format
Type: String
network.dns.answers[n].name¶
Description: The name of the owner of the resource record.
Type: String
network.dns.answers[n].ttl¶
Description: The time interval for which the resource record can be cached before the source of the information should again be queried.
Type: Integer
network.dns.answers[n].type¶
Description: The code specifying the type of the resource record.
Type: Integer
network.dns.answers¶
Description: A list of answers to the domain name query.
Type: Array
network.dns.authoritative¶
Description: Other DNS header flags. See RFC1035, section 4.1.1.
Type: Boolean
network.dns.authority[n].binary_data¶
Description: The raw bytes of any non-UTF8 strings that might be included as part of a DNS response.
Type: String
network.dns.authority[n].class¶
Description: The code specifying the class of the resource record.
Type: Integer
network.dns.authority[n].data¶
Description: The payload or response to the DNS question for all responses encoded in UTF-8 format
Type: String
network.dns.authority[n].name¶
Description: The name of the owner of the resource record.
Type: String
network.dns.authority[n].ttl¶
Description: The time interval for which the resource record can be cached before the source of the information should again be queried.
Type: Integer
network.dns.authority[n].type¶
Description: The code specifying the type of the resource record.
Type: Integer
network.dns.authority¶
Description: A list of domain name servers which verified the answers to the domain name queries.
Type: Array
network.dns.id¶
Description: DNS query id.
Type: Integer
network.dns.opcode¶
Description: The DNS OpCode used to specify the type of DNS query (e.g. QUERY, IQUERY, STATUS, etc.).
Type: Integer
network.dns.questions[n].class¶
Description: The code specifying the class of the query.
Type: Integer
network.dns.questions[n].name¶
Description: The domain name.
Type: String
network.dns.questions[n].prevalence.day_count¶
Description: The number of days over which rolling_max is calculated.
Type: Integer
network.dns.questions[n].prevalence.day_max¶
Description: The max prevalence score in a day interval window.
Type: Integer
network.dns.questions[n].prevalence.day_max_sub_domains¶
Description: The max prevalence score in a day interval window across sub-domains. This field is only valid for domains.
Type: Integer
network.dns.questions[n].prevalence.rolling_max¶
Description: The maximum number of assets per day accessing the resource over the trailing day_count days.
Type: Integer
network.dns.questions[n].prevalence.rolling_max_sub_domains¶
Description: The maximum number of assets per day accessing the domain along with sub-domains over the trailing day_count days. This field is only valid for domains.
Type: Integer
network.dns.questions[n].type¶
Description: The code specifying the type of the query.
Type: Integer
network.dns.questions¶
Description: A list of domain protocol message questions.
Type: Array
network.dns.recursion_available¶
Description: Whether a recursive DNS lookup is available.
Type: Boolean
network.dns.recursion_desired¶
Description: Whether a recursive DNS lookup is desired.
Type: Boolean
network.dns.response¶
Description: Set to true if the event is a DNS response. See QR field from RFC1035.
Type: Boolean
network.dns.response_code¶
Description: Response code. See RCODE from RFC1035.
Type: Integer
network.dns.truncated¶
Description: Whether the DNS response was truncated.
Type: Boolean
network.dns_domain¶
Description: DNS domain name.
Type: String
network.email.bcc¶
Description: A list of 'bcc' addresses.
Type: Array
network.email.bounce_address¶
Description: The envelope from address. https://en.wikipedia.org/wiki/Bounce_address
Type: String
network.email.cc¶
Description: A list of 'cc' addresses.
Type: Array
network.email.from¶
Description: The 'from' address.
Type: String
network.email.mail_id¶
Description: The mail (or message) ID.
Type: String
network.email.reply_to¶
Description: The 'reply to' address.
Type: String
network.email.subject¶
Description: The subject line(s) of the email.
Type: Array
network.email.to¶
Description: A list of 'to' addresses.
Type: Array
network.ftp.command¶
Description: The FTP command.
Type: String
network.http.method¶
Description: The HTTP request method (e.g. "GET", "POST", "PATCH", "DELETE").
Type: String
network.http.referral_url¶
Description: The URL for the HTTP referer.
Type: String
network.http.response_code¶
Description: The response status code. e.g. 200, 302, 404, 500, etc.
Type: Integer
network.http.user_agent¶
Description: The User-Agent request header which includes the application type, operating system, software vendor or software version of the requesting software user agent.
Type: String
network.ip_protocol¶
Description: The IP protocol.
Type: Enum
| Enum | Description |
|---|---|
| UNKNOWN_IP_PROTOCOL | The default protocol. |
| ICMP | ICMP. |
| IGMP | IGMP |
| TCP | TCP. |
| UDP | UDP. |
| IP6IN4 | IPv6 Encapsulation |
| GRE | Generic Routing Encapsulation |
| ESP | Encapsulating Security Payload |
| EIGRP | Enhanced Interior Gateway Routing |
| ETHERIP | Ethernet-within-IP Encapsulation |
| PIM | Protocol Independent Multicast |
| VRRP | Virtual Router Redundancy Protocol |
network.organization_name¶
Description: Organization name (e.g Google).
Type: String
network.parent_session_id¶
Description: The ID of the parent network session.
Type: String
network.received_bytes¶
Description: The number of bytes received.
Type: String
network.received_packets¶
Description: The number of packets received.
Type: String
network.sent_bytes¶
Description: The number of bytes sent.
Type: String
network.sent_packets¶
Description: The number of packets sent.
Type: String
network.session_duration¶
Description: The duration of the session as the number of seconds and nanoseconds. For seconds, network.session_duration.seconds, the type is a 32-bit integer. For nanoseconds, network.session_duration.nanos, the type is a 64-bit integer.
Type: String
network.session_id¶
Description: The ID of the network session.
Type: String
network.smtp.helo¶
Description: The client's 'HELO'/'EHLO' string.
Type: String
network.smtp.is_tls¶
Description: If the connection switched to TLS.
Type: Boolean
network.smtp.is_webmail¶
Description: If the message was sent via a webmail client.
Type: Boolean
network.smtp.mail_from¶
Description: The client's 'MAIL FROM' string.
Type: String
network.smtp.message_path¶
Description: The message's path (extracted from the headers).
Type: String
network.smtp.rcpt_to¶
Description: The client's 'RCPT TO' string(s).
Type: Array
network.smtp.server_response¶
Description: The server's response(s) to the client.
Type: Array
network.tls.cipher¶
Description: Cipher used during the connection.
Type: String
network.tls.client.certificate.issuer¶
Description: Issuer of the certificate.
Type: String
network.tls.client.certificate.md5¶
Description: The MD5 hash of the certificate.
Type: String
network.tls.client.certificate.not_after¶
Description: Indicates when the certificate is no longer valid.
Type: String
network.tls.client.certificate.not_before¶
Description: Indicates when the certificate is first valid.
Type: String
network.tls.client.certificate.serial¶
Description: Certificate serial number.
Type: String
network.tls.client.certificate.sha1¶
Description: The SHA1 hash of the certificate.
Type: String
network.tls.client.certificate.sha256¶
Description: The SHA256 hash of the certificate.
Type: String
network.tls.client.certificate.subject¶
Description: Subject of the certificate.
Type: String
network.tls.client.certificate.version¶
Description: Certificate version.
Type: String
network.tls.client.ja3¶
Description: JA3 hash from client hello.
Type: String
network.tls.client.server_name¶
Description: Host name of the server, that the client is connecting to.
Type: String
network.tls.client.supported_ciphers¶
Description: Ciphers supported by the client during client hello.
Type: Array
network.tls.curve¶
Description: Elliptical curve used for a given cipher.
Type: String
network.tls.established¶
Description: Indicates whether the TLS negotiation was successful.
Type: Boolean
network.tls.next_protocol¶
Description: Protocol to be used for tunnel.
Type: String
network.tls.resumed¶
Description: Indicates whether the TLS connection was resumed from a previous TLS negotiation.
Type: Boolean
network.tls.server.certificate.issuer¶
Description: Issuer of the certificate.
Type: String
network.tls.server.certificate.md5¶
Description: The MD5 hash of the certificate.
Type: String
network.tls.server.certificate.not_after¶
Description: Indicates when the certificate is no longer valid.
Type: String
network.tls.server.certificate.not_before¶
Description: Indicates when the certificate is first valid.
Type: String
network.tls.server.certificate.serial¶
Description: Certificate serial number.
Type: String
network.tls.server.certificate.sha1¶
Description: The SHA1 hash of the certificate.
Type: String
network.tls.server.certificate.sha256¶
Description: The SHA256 hash of the certificate.
Type: String
network.tls.server.certificate.subject¶
Description: Subject of the certificate.
Type: String
network.tls.server.certificate.version¶
Description: Certificate version.
Type: String
network.tls.server.ja3s¶
Description: JA3 hash from server hello.
Type: String
network.tls.version¶
Description: TLS version.
Type: String
network.tls.version_protocol¶
Description: Protocol.
Type: String