Network Fields
Overview
The network fields describe properties of network connections, flows, and packet exchanges as represented in normalized telemetry. They capture attributes such as traffic direction, protocol details, transferred byte counts, and identifiers used to correlate activity across sources. This entity provides a unified conceptual model for interpreting diverse network data from sensors, appliances, and endpoint instrumentation.
Design and Usage
The network entity represents a logical network flow or connection and supports consistent normalization across heterogeneous vendor formats. It abstracts connection-level properties, including transport protocol, packet counts, header and payload characteristics, and connection identifiers. As a top-level entity, network should be modeled independently of host or process entities while still allowing correlation when those entities appear within the same telemetry.
Common Use Cases
- Analyzing network flow patterns for anomaly detection, threat analysis, and capacity monitoring.
- Associating traffic with higher-level application behaviors, tunnel types, or protocol semantics.
- Correlating connection identifiers and directionality with security alerts and endpoint activity.
- Reviewing packet and byte distributions to understand flow behavior or investigate suspected exfiltration.
Implementation Notes
As a top-level entity, network defines a standalone representation of a network flow or packet exchange. It should support mappings to related entities such as endpoint, process, or tunnel where applicable and maintain relational integrity across normalized telemetry. If a related entity is implied but not explicitly provided, corresponding fields should be included to clarify event semantics and maintain consistent connection modeling.
| field | field_type | description | example_values |
|---|---|---|---|
|
network_application |
keyword/lowercase |
Identifies the application-layer service or platform associated with the network activity. |
facebook, instagram |
|
network_bytes |
long |
Total number of bytes transferred during the network connection. |
71238 |
|
network_community_id |
keyword |
Hash value representing a normalized identifier for the network flow. |
1:Q9We8WO3piVF8yEQBNJF4uiSVrI= |
|
network_connection_duration |
keyword |
Length of time the network connection was established. |
0:23:45 |
|
network_connection_uid |
keyword |
Unique identifier assigned to the observed network connection. |
CMdzit1AMNsmfAIiQc |
|
network_data_bytes |
long |
Total number of bytes contained in the data payload of the connection. |
71238 |
|
network_direction |
keyword |
Indicates the direction of the observed network flow. |
inbound, outbound, lateral |
|
network_forwarded_ip |
ip |
IP address recorded as part of forwarding or proxy traversal. |
10.1.2.3, fe80:5cc3:11:4::2c |
|
network_header_bytes |
long |
Total number of bytes associated with packet header information. |
71238 |
|
network_iana_number |
integer |
Numeric protocol identifier assigned by IANA at IANA protocol numbers regsitry. |
6, 17, 41 |
|
network_icmp_type |
keyword |
ICMP message type associated with the observed traffic defined by IANA ICMP parameters registry. |
echo, time exceeded |
|
network_inner |
keyword |
Indicates protocol or encapsulation information for inner traffic within a tunneled connection. |
|
|
network_interface_in |
keyword/lowercase |
Name of the interface that received the network traffic. |
gi0/1 |
|
network_interface_out |
keyword/lowercase |
Name of the interface that transmitted the network traffic. |
gi0/1 |
|
network_ip_version |
keyword |
Indicates whether the connection used IPv4 or IPv6. |
4, 6 |
|
network_name |
keyword |
Label or identifier assigned to the network flow, if provided by the source. |
|
|
network_packets |
long |
Total number of packets transferred during the network connection. |
71238 |
|
network_protocol |
keyword/lowercase |
Network-layer protocol associated with the observed traffic. |
ipv4, ipv6, icmp |
|
network_transport |
keyword/lowercase |
Transport-layer protocol used by the network connection. |
udp, tcp |
|
network_tunnel_type |
keyword/lowercase |
Type of tunneling protocol associated with the network traffic. |
gre, ipsec |
|
network_tunnel_duration |
long |
Duration of an established tunnel, measured in seconds. |
2093847 |
|
network_type |
keyword |
This field is deprecated and will be removed from a future version fo the schema. |
