4002 - HTTP Activity¶
CIM Data Models: Web
OCSF Version: 1.0.0¶
| CIM Field | Mapping |
|---|---|
| action | case(status_id==1, "allowed", type_uid==400103, "blocked", status_id==0, "unknown", status_id==-1, "other", true(), "error") |
| app | metadata.product |
| bytes | traffic.bytes |
| bytes_in | traffic.bytes_in |
| bytes_out | ('traffic.bytes'-'traffic.bytes_in') |
| category | http |
| src | coalesce('src_endpoint.hostname', 'src_endpoint.ip', 'src_endpoint.name') |
| src_ip | src_endpoint.ip |
| src_port | src_endpoint.port |
| src_host | src_endpoint.hostname |
| dest | coalesce('dst_endpoint.hostname', 'dst_endpoint.ip', 'dst_endpoint.name') |
| dest_ip | dst_endpoint.ip |
| dest_port | dst_endpoint.port |
| dest_mac | dst_endpoint.mac |
| dest_host | dst_endpoint.hostname |
| duration | duration |
| http_content_type | http_response.content_type |
| http_method | http_request.http_method |
| http_referrer | http_request.referrer |
| http_user_agent | http_request.user_agent |
| http_user_agent_length | len('http_request.user_agent') |
| response_time | duration |
| status | http_response.code |
| uri_path | http_request.url.path |
| uri_query | http_request.url.query_string |
| url | http_request.url.text |
| url_domain | http_request.hostname |
| url_length | len('http_request.url.text') |
| user | actor.user |
| vendor_product | metadata.product.name |
OCSF Version: 1.1.0¶
| CIM Field | Mapping |
|---|---|
| action | case(status_id==1, "allowed", type_uid==400103, "blocked", status_id==0, "unknown", status_id==-1, "other", true(), "error") |
| app | metadata.product |
| bytes | traffic.bytes |
| bytes_in | traffic.bytes_in |
| bytes_out | ('traffic.bytes'-'traffic.bytes_in') |
| category | http |
| src | coalesce('src_endpoint.hostname', 'src_endpoint.ip', 'src_endpoint.name') |
| src_ip | src_endpoint.ip |
| src_port | src_endpoint.port |
| src_host | src_endpoint.hostname |
| dest | coalesce('dst_endpoint.hostname', 'dst_endpoint.ip', 'dst_endpoint.name') |
| dest_ip | dst_endpoint.ip |
| dest_port | dst_endpoint.port |
| dest_mac | dst_endpoint.mac |
| dest_host | dst_endpoint.hostname |
| duration | duration |
| http_content_type | http_response.content_type |
| http_method | http_request.http_method |
| http_referrer | http_request.referrer |
| http_user_agent | http_request.user_agent |
| http_user_agent_length | len('http_request.user_agent') |
| response_time | duration |
| status | http_response.code |
| uri_path | http_request.url.path |
| uri_query | http_request.url.query_string |
| url | http_request.url.text |
| url_domain | http_request.hostname |
| url_length | len('http_request.url.text') |
| user | actor.user |
| vendor_product | metadata.product.name |
OCSF Version: 1.2.0¶
| CIM Field | Mapping |
|---|---|
| action | case(status_id==1, "allowed", type_uid==400103, "blocked", status_id==0, "unknown", status_id==-1, "other", true(), "error") |
| app | metadata.product |
| bytes | traffic.bytes |
| bytes_in | traffic.bytes_in |
| bytes_out | ('traffic.bytes'-'traffic.bytes_in') |
| category | http |
| src | coalesce('src_endpoint.hostname', 'src_endpoint.ip', 'src_endpoint.name') |
| src_ip | src_endpoint.ip |
| src_port | src_endpoint.port |
| src_host | src_endpoint.hostname |
| dest | coalesce('dst_endpoint.hostname', 'dst_endpoint.ip', 'dst_endpoint.name') |
| dest_ip | dst_endpoint.ip |
| dest_port | dst_endpoint.port |
| dest_mac | dst_endpoint.mac |
| dest_host | dst_endpoint.hostname |
| duration | duration |
| http_content_type | http_response.content_type |
| http_method | http_request.http_method |
| http_referrer | http_request.referrer |
| http_user_agent | http_request.user_agent |
| http_user_agent_length | len('http_request.user_agent') |
| response_time | duration |
| status | http_response.code |
| uri_path | http_request.url.path |
| uri_query | http_request.url.query_string |
| url | http_request.url.text |
| url_domain | http_request.hostname |
| url_length | len('http_request.url.text') |
| user | actor.user |
| vendor_product | metadata.product.name |
OCSF Version: 1.0.0*¶
| CIM Field | Mapping |
|---|---|
| action | case(status_id==1, "allowed", type_uid==400103, "blocked", status_id==0, "unknown", status_id==-1, "other", true(), "error") |
| app | metadata.product |
| bytes | traffic.bytes |
| bytes_in | traffic.bytes_in |
| bytes_out | ('traffic.bytes'-'traffic.bytes_in') |
| category | http |
| src | coalesce('src_endpoint.hostname', 'src_endpoint.ip', 'src_endpoint.name') |
| src_ip | src_endpoint.ip |
| src_port | src_endpoint.port |
| src_host | src_endpoint.hostname |
| dest | coalesce('dst_endpoint.hostname', 'dst_endpoint.ip', 'dst_endpoint.name') |
| dest_ip | dst_endpoint.ip |
| dest_port | dst_endpoint.port |
| dest_mac | dst_endpoint.mac |
| dest_host | dst_endpoint.hostname |
| duration | duration |
| http_content_type | http_response.content_type |
| http_method | http_request.http_method |
| http_referrer | http_request.referrer |
| http_user_agent | http_request.user_agent |
| http_user_agent_length | len('http_request.user_agent') |
| response_time | duration |
| status | http_response.code |
| uri_path | http_request.url.path |
| uri_query | http_request.url.query_string |
| url | http_request.url.text |
| url_domain | http_request.hostname |
| url_length | len('http_request.url.text') |
| user | actor.user |
| vendor_product | metadata.product.name |