4001 - Network Activity
OCSF Reference
CIM Data Models: All_Traffic
OCSF Version: 1.0.0
| CIM Field |
Mapping |
| app |
app_name |
| action |
replace(lower(disposition), "\s", "_") |
| bytes_in |
traffic.bytes_in |
| bytes_out |
traffic.bytes_out |
| bytes |
traffic.bytes |
| dest |
coalesce('dst_endpoint.hostname', 'dst_endpoint.ip', 'dst_endpoint.name') |
| dest_interface |
dst_endpoint.interface_name |
| dest_ip |
dst_endpoint.ip |
| dest_port |
dst_endpoint.port |
| dest_mac |
dst_endpoint.mac |
| dest_host |
dst_endpoint.hostname |
| direction |
case('connection_info.direction_id'==1,"inbound",'connection_info.direction_id'==2, "outbound",'connection_info.direction_id'==3, "lateral", 'connection_info.direction_id'==99, "other", true(), "") |
| duration |
duration |
| dvc |
device.name |
| dvc_ip |
device.ip |
| packets |
traffic.packets |
| packets_in |
traffic.packets_in |
| packets_out |
traffic.packets_out |
| process_id |
actor.process.pid |
| protocol |
connection_info.protocol_name |
| protocol_version |
connection_info.protocol_ver |
| response_time |
duration |
| session_id |
connection_info.uid |
| src |
coalesce('src_endpoint.hostname', 'src_endpoint.ip', 'src_endpoint.name') |
| src_ip |
src_endpoint.ip |
| src_port |
src_endpoint.port |
| src_mac |
src_endpoint.mac |
| src_host |
src_endpoint.hostname |
| tcp_flag |
case('connection_info.tcp_flags'==1, "FIN", 'connection_info.tcp_flags'==2, "SYN", 'connection_info.tcp_flags'==4, "RST",'connection_info.tcp_flags'==8, "PSH",'connection_info.tcp_flags'==16, "ACK", 'connection_info.tcp_flags'==18, "SYN-ACK", 'connection_info.tcp_flags'==32, "URG") |
| transport |
case('connection_info.protocol_num'==1,"icmp",'connection_info.protocol_num'==6,"tcp",'connection_info.protocol_num'==17,"udp",true(),"other") |
| user |
actor.user.name |
| vendor_account |
cloud.account_uid |
| vendor_product |
metadata.product.name |
OCSF Version: 1.1.0
| CIM Field |
Mapping |
| app |
app_name |
| action |
replace(lower(disposition), "\s", "_") |
| bytes_in |
traffic.bytes_in |
| bytes_out |
traffic.bytes_out |
| bytes |
traffic.bytes |
| dest |
coalesce('dst_endpoint.hostname', 'dst_endpoint.ip', 'dst_endpoint.name') |
| dest_interface |
dst_endpoint.interface_name |
| dest_ip |
dst_endpoint.ip |
| dest_port |
dst_endpoint.port |
| dest_mac |
dst_endpoint.mac |
| dest_host |
dst_endpoint.hostname |
| direction |
case('connection_info.direction_id'==1,"inbound",'connection_info.direction_id'==2, "outbound",'connection_info.direction_id'==3, "lateral", 'connection_info.direction_id'==99, "other", true(), "") |
| duration |
duration |
| dvc |
device.name |
| dvc_ip |
device.ip |
| packets |
traffic.packets |
| packets_in |
traffic.packets_in |
| packets_out |
traffic.packets_out |
| process_id |
actor.process.pid |
| protocol |
connection_info.protocol_name |
| protocol_version |
connection_info.protocol_ver |
| response_time |
duration |
| session_id |
connection_info.uid |
| src |
coalesce('src_endpoint.hostname', 'src_endpoint.ip', 'src_endpoint.name') |
| src_ip |
src_endpoint.ip |
| src_port |
src_endpoint.port |
| src_mac |
src_endpoint.mac |
| src_host |
src_endpoint.hostname |
| tcp_flag |
case('connection_info.tcp_flags'==1, "FIN", 'connection_info.tcp_flags'==2, "SYN", 'connection_info.tcp_flags'==4, "RST",'connection_info.tcp_flags'==8, "PSH",'connection_info.tcp_flags'==16, "ACK", 'connection_info.tcp_flags'==18, "SYN-ACK", 'connection_info.tcp_flags'==32, "URG") |
| transport |
case('connection_info.protocol_num'==1,"icmp",'connection_info.protocol_num'==6,"tcp",'connection_info.protocol_num'==17,"udp",true(),"other") |
| user |
actor.user.name |
| vendor_account |
cloud.account_uid |
| vendor_product |
metadata.product.name |
OCSF Version: 1.2.0
| CIM Field |
Mapping |
| app |
app_name |
| action |
replace(lower(disposition), "\s", "_") |
| bytes_in |
traffic.bytes_in |
| bytes_out |
traffic.bytes_out |
| bytes |
traffic.bytes |
| dest |
coalesce('dst_endpoint.hostname', 'dst_endpoint.ip', 'dst_endpoint.name') |
| dest_interface |
dst_endpoint.interface_name |
| dest_ip |
dst_endpoint.ip |
| dest_port |
dst_endpoint.port |
| dest_mac |
dst_endpoint.mac |
| dest_host |
dst_endpoint.hostname |
| direction |
case('connection_info.direction_id'==1,"inbound",'connection_info.direction_id'==2, "outbound",'connection_info.direction_id'==3, "lateral", 'connection_info.direction_id'==99, "other", true(), "") |
| duration |
duration |
| dvc |
device.name |
| dvc_ip |
device.ip |
| packets |
traffic.packets |
| packets_in |
traffic.packets_in |
| packets_out |
traffic.packets_out |
| process_id |
actor.process.pid |
| protocol |
connection_info.protocol_name |
| protocol_version |
connection_info.protocol_ver |
| response_time |
duration |
| session_id |
connection_info.uid |
| src |
coalesce('src_endpoint.hostname', 'src_endpoint.ip', 'src_endpoint.name') |
| src_ip |
src_endpoint.ip |
| src_port |
src_endpoint.port |
| src_mac |
src_endpoint.mac |
| src_host |
src_endpoint.hostname |
| tcp_flag |
case('connection_info.tcp_flags'==1, "FIN", 'connection_info.tcp_flags'==2, "SYN", 'connection_info.tcp_flags'==4, "RST",'connection_info.tcp_flags'==8, "PSH",'connection_info.tcp_flags'==16, "ACK", 'connection_info.tcp_flags'==18, "SYN-ACK", 'connection_info.tcp_flags'==32, "URG") |
| transport |
case('connection_info.protocol_num'==1,"icmp",'connection_info.protocol_num'==6,"tcp",'connection_info.protocol_num'==17,"udp",true(),"other") |
| user |
actor.user.name |
| vendor_account |
cloud.account_uid |
| vendor_product |
metadata.product.name |
OCSF Version: 1.0.0*
| CIM Field |
Mapping |
| app |
app_name |
| action |
replace(lower(disposition), "\s", "_") |
| bytes_in |
traffic.bytes_in |
| bytes_out |
traffic.bytes_out |
| bytes |
traffic.bytes |
| dest |
coalesce('dst_endpoint.hostname', 'dst_endpoint.ip', 'dst_endpoint.name') |
| dest_interface |
dst_endpoint.interface_name |
| dest_ip |
dst_endpoint.ip |
| dest_port |
dst_endpoint.port |
| dest_mac |
dst_endpoint.mac |
| dest_host |
dst_endpoint.hostname |
| direction |
case('connection_info.direction_id'==1,"inbound",'connection_info.direction_id'==2, "outbound",'connection_info.direction_id'==3, "lateral", 'connection_info.direction_id'==99, "other", true(), "") |
| duration |
duration |
| dvc |
device.name |
| dvc_ip |
device.ip |
| packets |
traffic.packets |
| packets_in |
traffic.packets_in |
| packets_out |
traffic.packets_out |
| process_id |
actor.process.pid |
| protocol |
connection_info.protocol_name |
| protocol_version |
connection_info.protocol_ver |
| response_time |
duration |
| session_id |
connection_info.uid |
| src |
coalesce('src_endpoint.hostname', 'src_endpoint.ip', 'src_endpoint.name') |
| src_ip |
src_endpoint.ip |
| src_port |
src_endpoint.port |
| src_mac |
src_endpoint.mac |
| src_host |
src_endpoint.hostname |
| tcp_flag |
case('connection_info.tcp_flags'==1, "FIN", 'connection_info.tcp_flags'==2, "SYN", 'connection_info.tcp_flags'==4, "RST",'connection_info.tcp_flags'==8, "PSH",'connection_info.tcp_flags'==16, "ACK", 'connection_info.tcp_flags'==18, "SYN-ACK", 'connection_info.tcp_flags'==32, "URG") |
| transport |
case('connection_info.protocol_num'==1,"icmp",'connection_info.protocol_num'==6,"tcp",'connection_info.protocol_num'==17,"udp",true(),"other") |
| user |
actor.user.name |
| vendor_account |
cloud.account_uid |
| vendor_product |
metadata.product.name |