4014 - Tunnel Activity
OCSF Reference
CIM Data Models: All_Sessions.VPN
OCSF Version: 1.0.0
| CIM Field |
Mapping |
| app |
app_name |
| action |
case(activity_id==0,"unknown",activity_id==1,"open",activity_id==2,"close",activity_id==3,"renew",true(),"other") |
| dest |
coalesce('dst_endpoint.hostname', 'dst_endpoint.ip', 'dst_endpoint.name') |
| dest_dns |
dst_endpoint.hostname |
| dest_ip |
dst_endpoint.ip |
| dest_port |
dst_endpoint.port |
| dest_mac |
dst_endpoint.mac |
| dest_host |
dst_endpoint.hostname |
| duration |
duration |
| response_time |
duration |
| signature_id |
type_uid |
| signature |
type_name |
| src |
coalesce('src_endpoint.hostname', 'src_endpoint.ip', 'src_endpoint.name') |
| src_ip |
src_endpoint.ip |
| src_port |
src_endpoint.port |
| src_mac |
src_endpoint.mac |
| src_host |
src_endpoint.hostname |
| user |
user.name |
| vendor_account |
cloud.account_uid |
| vendor_product |
metadata.product.name |
OCSF Version: 1.1.0
| CIM Field |
Mapping |
| app |
app_name |
| action |
case(activity_id==0,"unknown",activity_id==1,"open",activity_id==2,"close",activity_id==3,"renew",true(),"other") |
| dest |
coalesce('dst_endpoint.hostname', 'dst_endpoint.ip', 'dst_endpoint.name') |
| dest_dns |
dst_endpoint.hostname |
| dest_ip |
dst_endpoint.ip |
| dest_port |
dst_endpoint.port |
| dest_mac |
dst_endpoint.mac |
| dest_host |
dst_endpoint.hostname |
| duration |
duration |
| response_time |
duration |
| signature_id |
type_uid |
| signature |
type_name |
| src |
coalesce('src_endpoint.hostname', 'src_endpoint.ip', 'src_endpoint.name') |
| src_ip |
src_endpoint.ip |
| src_port |
src_endpoint.port |
| src_mac |
src_endpoint.mac |
| src_host |
src_endpoint.hostname |
| user |
user.name |
| vendor_account |
cloud.account_uid |
| vendor_product |
metadata.product.name |
OCSF Version: 1.2.0
| CIM Field |
Mapping |
| app |
app_name |
| action |
case(activity_id==0,"unknown",activity_id==1,"open",activity_id==2,"close",activity_id==3,"renew",true(),"other") |
| dest |
coalesce('dst_endpoint.hostname', 'dst_endpoint.ip', 'dst_endpoint.name') |
| dest_dns |
dst_endpoint.hostname |
| dest_ip |
dst_endpoint.ip |
| dest_port |
dst_endpoint.port |
| dest_mac |
dst_endpoint.mac |
| dest_host |
dst_endpoint.hostname |
| duration |
duration |
| response_time |
duration |
| signature_id |
type_uid |
| signature |
type_name |
| src |
coalesce('src_endpoint.hostname', 'src_endpoint.ip', 'src_endpoint.name') |
| src_ip |
src_endpoint.ip |
| src_port |
src_endpoint.port |
| src_mac |
src_endpoint.mac |
| src_host |
src_endpoint.hostname |
| user |
user.name |
| vendor_account |
cloud.account_uid |
| vendor_product |
metadata.product.name |
OCSF Version: 1.0.0*
| CIM Field |
Mapping |
| app |
app_name |
| action |
case(activity_id==0,"unknown",activity_id==1,"open",activity_id==2,"close",activity_id==3,"renew",true(),"other") |
| dest |
coalesce('dst_endpoint.hostname', 'dst_endpoint.ip', 'dst_endpoint.name') |
| dest_dns |
dst_endpoint.hostname |
| dest_ip |
dst_endpoint.ip |
| dest_port |
dst_endpoint.port |
| dest_mac |
dst_endpoint.mac |
| dest_host |
dst_endpoint.hostname |
| duration |
duration |
| response_time |
duration |
| signature_id |
type_uid |
| signature |
type_name |
| src |
coalesce('src_endpoint.hostname', 'src_endpoint.ip', 'src_endpoint.name') |
| src_ip |
src_endpoint.ip |
| src_port |
src_endpoint.port |
| src_mac |
src_endpoint.mac |
| src_host |
src_endpoint.hostname |
| user |
user.name |
| vendor_account |
cloud.account_uid |
| vendor_product |
metadata.product.name |