Destination Fields
Overview
The destination fields describe the target system, device, or endpoint involved in a network transaction, system interaction, or event correlation. These fields represent the entity that receives, hosts, or processes the action initiated by a source within telemetry data.
Design and Usage
destination represents the endpoint context of an event and is used to capture identifying, network, and system-level attributes of the target environment. It provides a normalized view of where data, connections, or operations are directed — whether to a physical host, virtual machine, cloud service, or logical network zone. These fields are typically modeled symmetrically with the source entity to describe bidirectional communication or relational event structures.
Common Use Cases
- Identifying the target host, application, or service involved in a network or system event.
- Associating traffic or actions with specific regions, zones, or virtual systems.
- Analyzing directional flow in network telemetry (for example, from
sourcetodestination). - Correlating activity across multi-tenant or segmented environments by destination IP, hostname, or virtual context.
Implementation Notes
As a top-level entity, destination defines a coherent object representing the receiving endpoint of a communication or operation. It should be modeled independently of vendor-specific naming conventions and supports hierarchical mappings, including NAT, virtual system, and region metadata. destination fields commonly appear in conjunction with source to provide complete directional context for events within normalized telemetry schemas. If a source is implied but not explicitly defined, corresponding source fields should be included to clarify event semantics and ensure consistent bidirectional modeling.
| field | field_type | description | example_values |
|---|---|---|---|
|
destination_application_name |
keyword |
Name of the application that is the target of the action defined in an event. |
facebook, twitter |
|
destination_bytes_sent |
long |
Network bytes sent by destination to the source. Some sources may present this as source bytes received, bytes received, or similar. |
204235 |
|
destination_device_model |
keyword |
Name of device model. |
iPad |
|
destination_device_vendor |
keyword |
Device vendor name. |
Apple, ASUS |
|
destination_domain |
keyword/lowercase |
Destination authentication domain context. |
corp.local |
|
destination_hostname |
keyword/lowercase |
Hostname of the destination device/system. |
corpdc01, vplaptop10 |
|
destination_ip |
ip |
IPv4 or IPv6 address of the destination device. |
10.1.2.3, fe80:5cc3:11:4::2c |
|
destination_nat_ip |
ip |
translated IP address assigned by a network device performing the NAT function. |
10.1.2.3, fe80:5cc3:11:4::2c |
|
destination_nat_port |
integer |
Translated network port assigned by a network device performing the NAT function. |
80, 443, 3389 |
|
destination_os_name |
keyword |
Operating system type name of the destination device. |
IOS, Android |
|
destination_os_version |
keyword |
Operating system version number of the destination device. |
10.0, 22.04 |
|
destination_packets_sent |
long |
Number of packets delivered to the destination endpoint from the source endpoint. |
230929 |
|
destination_port_iana_name |
keyword |
The IANA-registered service name associated with the network application. Illuminate Core will use this value to define destination_port in events that have destination_ip defined, if destination_port is not already defined |
ssh, ftp |
|
destination_region |
keyword |
Name of region source device is located in |
us-east-1 |
|
destination_id |
keyword |
Identifying value for the destination such as a serial number |
09VX93DD |
|
destination_type |
keyword |
Destination device information such as model number |
|
|
destination_vm_name |
keyword |
Virtual system name (not to be confused with the hostname) |
vsys01 |
|
destination_vsys_uuid |
keyword |
Destination virtual system UUID |
1f5398c7-4d84-4499-84ee-d5e9246c52f8 |
|
destination_zone |
keyword |
Network zone for the destination |
internal |
|
destination_category |
keyword |
The category assigned to the destination device. |
|
|
destination_location_name |
keyword |
Field is derived either from an internal enterprise network definition or the Geo location fields if available. |
Chicago, US, Datacenter 01, Bismark - Finance |
|
destination_mac |
keyword |
MAC address of the destination device. |
a0:b4:44:01:a9:d1 |
|
destination_priority |
keyword |
Text value representing the priority of the destination device. This will be added to all messages processed by Illuminate Core if destination_priority_level is defined and this value does not exist. |
critical, high, medium, low, informational |
|
destination_priority_level |
byte |
Numeric value representing the priority of the destination device, 1 = informational, 2 = low, 3 = medium, 4 = high, 5 = critical. This will be added to all messages processed by Illuminate Core if destination_priority is defined and this value does not exist. |
4 |
|
destination_reference |
keyword/lowercase |
This value is usually mapped by Illuminate Core from the following fields: destination_ip, destination_hostname, destination_target, destination_vm_name, destination_mac. |
IPv4, IPv6, corpdc01, corpdc01.east.local |
