Network Connection Information

network_connection_info

The Network Connection Information object describes characteristics of a network connection. Defined by D3FEND d3f:NetworkSession.

Contents

Attributes

Caption Name Type Is Array Default Description
Boundary boundary String The boundary of the connection, normalized to the caption of 'boundary_id'. In the case of 'Other', it is defined by the event source.

For cloud connections, this translates to the traffic-boundary(same VPC, through IGW, etc.). For traditional networks, this is described as Local, Internal, or External.

Boundary ID boundary_id Integer

The normalized identifier of the boundary of the connection.

For cloud connections, this translates to the traffic-boundary (same VPC, through IGW, etc.). For traditional networks, this is described as Local, Internal, or External.

0
Unknown
1
Localhost
2
Internal
3
External
4
Same VPC
5
Internet/VPC Gateway
6
Virtual Private Gateway
7
Intra-region VPC
8
Inter-region VPC
9
Local Gateway
10
Gateway VPC
11
Internet Gateway
99
Other
Direction direction String The direction of the initiated connection, traffic, or email, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source.
Direction ID direction_id Integer The normalized identifier of the direction of the initiated connection, traffic, or email.
0
Unknown
1
Inbound
2
Outbound
3
Lateral
99
Other
Protocol Name protocol_name String The TCP/IP protocol name in lowercase, as defined by the Internet Assigned Numbers Authority (IANA). See Protocol Numbers. For example: tcp or udp.
Protocol Number protocol_num Integer The TCP/IP protocol number, as defined by the Internet Assigned Numbers Authority (IANA). Use -1 if the protocol is not defined by IANA. See Protocol Numbers. For example: 6 for TCP and 17 for UDP.
IP Version protocol_ver String The Internet Protocol version.
IP Version ID protocol_ver_id Integer The Internet Protocol version identifier.
0
Unknown
4
Internet Protocol version 4 (IPv4)
6
Internet Protocol version 6 (IPv6)
99
Other
Raw Data raw_data JSON The event data as received from the event source.
Record ID record_id String Unique identifier for the object
Session session Session The authenticated user or service session.
TCP Flags tcp_flags Integer The network connection TCP header flags (i.e., control bits).
Connection UID uid String The unique identifier of the connection.
Unmapped Data unmapped Unmapped The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.

Context

Network Connection Information

JSON

            
{
  "caption": "Network Connection Information",
  "description": "The Network Connection Information object describes characteristics of a network connection. Defined by D3FEND <a target='_blank' href='https://d3fend.mitre.org/dao/artifact/d3f:NetworkSession/'>d3f:NetworkSession</a>.",
  "extends": "object",
  "name": "network_connection_info",
  "attributes": {
    "boundary": {
      "caption": "Boundary",
      "description": "The boundary of the connection, normalized to the caption of 'boundary_id'. In the case of 'Other', it is defined by the event source. <p> For cloud connections, this translates to the traffic-boundary(same VPC, through IGW, etc.). For traditional networks, this is described as Local, Internal, or External.</p>",
      "type": "string_t"
    },
    "boundary_id": {
      "caption": "Boundary ID",
      "description": "<p>The normalized identifier of the boundary of the connection. </p><p> For cloud connections, this translates to the traffic-boundary (same VPC, through IGW, etc.). For traditional networks, this is described as Local, Internal, or External.</p>",
      "enum": {
        "99": {
          "caption": "Other",
          "description": "The boundary is not mapped. See the <code>boundary</code> attribute, which contains a data source specific value."
        },
        "0": {
          "caption": "Unknown",
          "description": "The connection boundary is unknown."
        },
        "1": {
          "caption": "Localhost",
          "description": "Local network traffic on the same endpoint."
        },
        "10": {
          "caption": "Gateway VPC",
          "description": "Through a gateway VPC endpoint (Nitro-based instances only)"
        },
        "11": {
          "caption": "Internet Gateway",
          "description": "Through an Internet gateway (Nitro-based instances only)"
        },
        "2": {
          "caption": "Internal",
          "description": "Internal network traffic between two endpoints inside network."
        },
        "3": {
          "caption": "External",
          "description": "External network traffic between two endpoints on the Internet or outside the network."
        },
        "4": {
          "caption": "Same VPC",
          "description": "Through another resource in the same VPC"
        },
        "5": {
          "caption": "Internet/VPC Gateway",
          "description": "Through an Internet gateway or a gateway VPC endpoint"
        },
        "6": {
          "caption": "Virtual Private Gateway",
          "description": "Through a virtual private gateway"
        },
        "7": {
          "caption": "Intra-region VPC",
          "description": "Through an intra-region VPC peering connection"
        },
        "8": {
          "caption": "Inter-region VPC",
          "description": "Through an inter-region VPC peering connection"
        },
        "9": {
          "caption": "Local Gateway",
          "description": "Through a local gateway"
        }
      },
      "sibling": "boundary",
      "type": "integer_t"
    },
    "direction": {
      "requirement": "optional",
      "caption": "Direction",
      "description": "The direction of the initiated connection, traffic, or email, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source.",
      "type": "string_t"
    },
    "direction_id": {
      "requirement": "required",
      "caption": "Direction ID",
      "description": "The normalized identifier of the direction of the initiated connection, traffic, or email.",
      "enum": {
        "0": {
          "description": "Connection direction is unknown.",
          "caption": "Unknown"
        },
        "1": {
          "description": "Inbound network connection. The connection was originated from the Internet or outside network, destined for services on the inside network.",
          "caption": "Inbound"
        },
        "2": {
          "description": "Outbound network connection. The connection was originated from inside the network, destined for services on the Internet or outside network.",
          "caption": "Outbound"
        },
        "3": {
          "description": "Lateral network connection. The connection was originated from inside the network, destined for services on the inside network.",
          "caption": "Lateral"
        },
        "99": {
          "caption": "Other",
          "description": "The direction is not mapped. See the <code>direction</code> attribute, which contains a data source specific value."
        }
      },
      "sibling": "direction",
      "type": "integer_t"
    },
    "protocol_name": {
      "caption": "Protocol Name",
      "description": "The TCP/IP protocol name in lowercase, as defined by the Internet Assigned Numbers Authority (IANA). See <a target='_blank' href='https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml'>Protocol Numbers</a>. For example: <code>tcp</code> or <code>udp</code>.",
      "type": "string_t"
    },
    "protocol_num": {
      "requirement": "recommended",
      "caption": "Protocol Number",
      "description": "The TCP/IP protocol number, as defined by the Internet Assigned Numbers Authority (IANA). Use -1 if the protocol is not defined by IANA. See <a target='_blank' href='https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml'>Protocol Numbers</a>. For example: <code>6</code> for TCP and <code>17</code> for UDP.",
      "type": "integer_t"
    },
    "protocol_ver": {
      "caption": "IP Version",
      "description": "The Internet Protocol version.",
      "type": "string_t"
    },
    "protocol_ver_id": {
      "caption": "IP Version ID",
      "description": "The Internet Protocol version identifier.",
      "enum": {
        "0": {
          "caption": "Unknown"
        },
        "4": {
          "caption": "Internet Protocol version 4 (IPv4)"
        },
        "6": {
          "caption": "Internet Protocol version 6 (IPv6)"
        },
        "99": {
          "caption": "Other"
        }
      },
      "sibling": "protocol_ver",
      "type": "integer_t"
    },
    "session": {
      "requirement": "optional",
      "caption": "Session",
      "description": "The authenticated user or service session.",
      "type": "session"
    },
    "tcp_flags": {
      "caption": "TCP Flags",
      "description": "The network connection TCP header flags (i.e., control bits).",
      "type": "integer_t"
    },
    "uid": {
      "caption": "Connection UID",
      "description": "The unique identifier of the connection.",
      "type": "string_t"
    },
    "raw_data": {
      "group": "context",
      "caption": "Raw Data",
      "description": "The event data as received from the event source.",
      "type": "json_t"
    },
    "record_id": {
      "description": "Unique identifier for the object",
      "group": "primary",
      "requirement": "required",
      "caption": "Record ID",
      "type": "string_t"
    },
    "unmapped": {
      "caption": "Unmapped Data",
      "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.",
      "type": "unmapped",
      "is_array": true
    }
  }
}