GIM Category: network

The Network category is for events that describe communication between two systems. This includes individual connections (such as a logon over TCP), connectionless activity (such as ICMP requests and replies), and summarized flow records (such as NetFlow or IPFIX).

network connection

Network connection events represent communication between two systems using protocols that include both addressing and port information, such as TCP and UDP. These events typically capture source and destination addresses, source and destination ports, and the network transport protocol. They provide the foundation for analyzing session-oriented traffic, distinct from connectionless protocols such as ICMP or summarized records such as NetFlow and IPFIX.

Required Fields

  • destination_port
  • destination_reference
  • event_action
  • event_source
  • network_transport
  • source_port
  • source_reference
gim_event_type_code gim_event_class gim_event_category gim_event_subcategory gim_event_type description

120000

network

network.network connection

network connection

A generic network connection event between a source and destination system using a port-based protocol (such as TCP or UDP). This code is used when the log does not explicitly indicate initiation or termination, but provides enough information to represent an active connection.

routing

The routing subcategory is deprecated. Routing logs describe control-plane events such as route advertisements, peer status, or path changes. These logs are highly vendor-specific and are not typically used in SIEM content focused on security or investigation. They may be revisited in the future as part of a separate infrastructure monitoring model, but they are not part of the Network category scope.

Required Fields

  • destination_reference
  • source_reference
gim_event_type_code gim_event_class gim_event_category gim_event_subcategory gim_event_type description

120100

network

network.routing

network routing

A basic network routing message

open

Open events represent the initiation of a network connection between a source and a destination system. These events typically capture the initial attempt to establish communication, including source and destination addresses, ports, and the transport protocol (such as TCP or UDP). They are useful for identifying when communication was attempted, regardless of whether the session was later completed or closed.

Required Fields

  • destination_port
  • destination_reference
  • network_transport
  • source_port
  • source_reference
gim_event_type_code gim_event_class gim_event_category gim_event_subcategory gim_event_type description

120200

network

network.open

network connection initiated

The source system initiated a network connection to a destination system. This event represents the start of communication, such as the initial TCP SYN or first UDP packet. It indicates that a connection attempt was made, regardless of whether the session was later established or terminated.

close

Close events represent the termination of a network connection between a source and a destination system. These events apply to protocols that use ports, such as TCP and UDP, and typically indicate that a session has been gracefully closed (e.g., TCP FIN sequence) or otherwise ended. They are useful for correlating with connection initiation events to understand the full lifecycle of a session.

Required Fields

  • destination_reference
  • source_reference
gim_event_type_code gim_event_class gim_event_category gim_event_subcategory gim_event_type description

120300

network

network.close

network connection ended

The source and destination systems terminated a network connection. This event indicates the end of communication for protocols such as TCP or UDP, whether the session was closed gracefully, reset, or timed out. It provides a marker for the conclusion of a session and can be correlated with initiation events.

flow

Flow events represent summarized records of network traffic between a source and a destination. They are typically exported by devices such as routers, firewalls, or cloud platforms using formats like NetFlow, IPFIX, or sFlow. Unlike individual connection events, flow records aggregate data over a time window, reporting metrics such as byte and packet counts, start and end times, and transport protocol. Flow data is valuable for understanding traffic volume, detecting anomalies, and correlating activity across large-scale environments.

Required Fields

  • destination_port
  • destination_reference
  • network_bytes
  • network_packets
  • network_transport
  • source_port
  • source_reference
gim_event_type_code gim_event_class gim_event_category gim_event_subcategory gim_event_type description

120500

network

network.flow

flow record

A summarized record of network traffic exported by a device or service, typically using formats such as NetFlow, IPFIX, sFlow, or equivalent cloud-native logging. The record aggregates traffic between a source and destination over a time interval, including metrics such as byte and packet counts.

icmp_request

ICMP request events represent traffic where a source system sends an Internet Control Message Protocol (ICMP) request to a destination. The most common example is an ICMP echo request (commonly referred to as "ping"), but other request types may include timestamp requests, router solicitations, or address mask requests. These events are important for identifying connectivity checks, troubleshooting activity, or potential reconnaissance attempts. Unlike TCP or UDP, ICMP is a connectionless protocol and does not involve ports.

Required Fields

  • destination_reference
  • network_icmp_request_code_number
  • network_icmp_request_type_number
  • network_transport
  • source_reference

Recommended Fields

  • network_icmp_request_message
gim_event_type_code gim_event_class gim_event_category gim_event_subcategory gim_event_type description

120600

network

network.icmp_request

icmp_request

An Internet Control Message Protocol (ICMP) request sent from a source system to a destination. This may represent an echo request (ping) or another ICMP request type, such as timestamp or router solicitation.

icmp_reply

ICMP reply events represent responses sent by a destination system in answer to an ICMP request. The most common example is an ICMP echo reply (the response to a ping), but replies may also include other ICMP message types depending on the request. These events are important for confirming connectivity, measuring responsiveness, and identifying whether a target host or device is actively responding to probes.

Required Fields

  • destination_reference
  • network_icmp_reply_code_number
  • network_icmp_reply_type_number
  • network_transport
  • source_reference

Recommended Fields

  • network_icmp_reply_message
gim_event_type_code gim_event_class gim_event_category gim_event_subcategory gim_event_type description

120700

network

network.icmp_reply

icmp_reply

An Internet Control Message Protocol (ICMP) reply sent by a destination system in response to a request. The most common case is an echo reply, but this may also represent other ICMP reply types depending on the request received.

default

The default subcategory is used for network-related events that do not match a more specific subcategory (such as connection, flow, or ICMP). These events may represent vendor-specific messages or generic network activity that cannot be consistently normalized. The default category ensures that all network events can still be captured, even when they lack the detail needed for finer classification.

Required Fields

  • destination_reference
  • source_reference
gim_event_type_code gim_event_class gim_event_category gim_event_subcategory gim_event_type description

129999

network

network.default

network message

A generic network event message that does not map to a more specific subcategory or event type. This serves as a fallback to ensure that all network activity can be represented within the model.