Network Connection Information
network_connection_info
The Network Connection Information object describes characteristics of a network connection. Defined by D3FEND d3f:NetworkSession.
Contents
Attributes
| Caption | Name | Type | Is Array | Default | Description |
|---|---|---|---|---|---|
| Boundary | boundary | String |
The boundary of the connection, normalized to the caption of 'boundary_id'. In the case of 'Other', it is defined by the event source. For cloud connections, this translates to the traffic-boundary(same VPC, through IGW, etc.). For traditional networks, this is described as Local, Internal, or External. |
||
| Boundary ID | boundary_id | Integer |
The normalized identifier of the boundary of the connection. For cloud connections, this translates to the traffic-boundary (same VPC, through IGW, etc.). For traditional networks, this is described as Local, Internal, or External.
|
||
| Direction | direction | String | The direction of the initiated connection, traffic, or email, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source. | ||
| Direction ID | direction_id | Integer |
The normalized identifier of the direction of the initiated connection, traffic, or email.
|
||
| Protocol Name | protocol_name | String |
The TCP/IP protocol name in lowercase, as defined by the Internet Assigned Numbers Authority (IANA). See Protocol Numbers. For example: tcp or udp.
|
||
| Protocol Number | protocol_num | Integer |
The TCP/IP protocol number, as defined by the Internet Assigned Numbers Authority (IANA). Use -1 if the protocol is not defined by IANA. See Protocol Numbers. For example: 6 for TCP and 17 for UDP.
|
||
| IP Version | protocol_ver | String | The Internet Protocol version. | ||
| IP Version ID | protocol_ver_id | Integer |
The Internet Protocol version identifier.
|
||
| Raw Data | raw_data | JSON | The event data as received from the event source. | ||
| Record ID | record_id | String | Unique identifier for the object | ||
| Session | session | Session | The authenticated user or service session. | ||
| TCP Flags | tcp_flags | Integer | The network connection TCP header flags (i.e., control bits). | ||
| Connection UID | uid | String | The unique identifier of the connection. | ||
| Unmapped Data | unmapped | Unmapped | The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source. |
Referenced By
- Web Resources Activity
- Web Resource Access Activity
- File Hosting Activity
- Network File Activity
- Network File Activity
- Tunnel Activity
- Tunnel Activity
- RDP Activity
- RDP Activity
- HTTP Activity
- HTTP Activity
- Network Activity
- Network Activity
- DHCP Activity
- DHCP Activity
- FTP Activity
- FTP Activity
- SSH Activity
- SSH Activity
- SMB Activity
- SMB Activity
- DNS Activity
- DNS Activity
- NTP Activity
- NTP Activity
- Network
- Network
- Network Remediation Activity
- Windows Evidence Artifacts
Context
JSON
{
"caption": "Network Connection Information",
"description": "The Network Connection Information object describes characteristics of a network connection. Defined by D3FEND <a target='_blank' href='https://d3fend.mitre.org/dao/artifact/d3f:NetworkSession/'>d3f:NetworkSession</a>.",
"extends": "object",
"name": "network_connection_info",
"attributes": {
"boundary": {
"requirement": "optional",
"caption": "Boundary",
"description": "The boundary of the connection, normalized to the caption of 'boundary_id'. In the case of 'Other', it is defined by the event source. <p> For cloud connections, this translates to the traffic-boundary(same VPC, through IGW, etc.). For traditional networks, this is described as Local, Internal, or External.</p>",
"type": "string_t"
},
"boundary_id": {
"requirement": "recommended",
"caption": "Boundary ID",
"description": "<p>The normalized identifier of the boundary of the connection. </p><p> For cloud connections, this translates to the traffic-boundary (same VPC, through IGW, etc.). For traditional networks, this is described as Local, Internal, or External.</p>",
"sibling": "boundary",
"type": "integer_t",
"enum": {
"0": {
"caption": "Unknown",
"description": "The connection boundary is unknown."
},
"1": {
"caption": "Localhost",
"description": "Local network traffic on the same endpoint."
},
"2": {
"caption": "Internal",
"description": "Internal network traffic between two endpoints inside network."
},
"3": {
"caption": "External",
"description": "External network traffic between two endpoints on the Internet or outside the network."
},
"4": {
"caption": "Same VPC",
"description": "Through another resource in the same VPC"
},
"5": {
"caption": "Internet/VPC Gateway",
"description": "Through an Internet gateway or a gateway VPC endpoint"
},
"6": {
"caption": "Virtual Private Gateway",
"description": "Through a virtual private gateway"
},
"7": {
"caption": "Intra-region VPC",
"description": "Through an intra-region VPC peering connection"
},
"8": {
"caption": "Inter-region VPC",
"description": "Through an inter-region VPC peering connection"
},
"9": {
"caption": "Local Gateway",
"description": "Through a local gateway"
},
"10": {
"caption": "Gateway VPC",
"description": "Through a gateway VPC endpoint (Nitro-based instances only)"
},
"11": {
"caption": "Internet Gateway",
"description": "Through an Internet gateway (Nitro-based instances only)"
},
"99": {
"caption": "Other",
"description": "The boundary is not mapped. See the <code>boundary</code> attribute, which contains a data source specific value."
}
}
},
"direction": {
"requirement": "optional",
"caption": "Direction",
"description": "The direction of the initiated connection, traffic, or email, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source.",
"type": "string_t"
},
"direction_id": {
"requirement": "required",
"caption": "Direction ID",
"description": "The normalized identifier of the direction of the initiated connection, traffic, or email.",
"sibling": "direction",
"type": "integer_t",
"enum": {
"0": {
"caption": "Unknown",
"description": "Connection direction is unknown."
},
"1": {
"caption": "Inbound",
"description": "Inbound network connection. The connection was originated from the Internet or outside network, destined for services on the inside network."
},
"2": {
"caption": "Outbound",
"description": "Outbound network connection. The connection was originated from inside the network, destined for services on the Internet or outside network."
},
"3": {
"caption": "Lateral",
"description": "Lateral network connection. The connection was originated from inside the network, destined for services on the inside network."
},
"99": {
"caption": "Other",
"description": "The direction is not mapped. See the <code>direction</code> attribute, which contains a data source specific value."
}
}
},
"protocol_name": {
"requirement": "recommended",
"caption": "Protocol Name",
"description": "The TCP/IP protocol name in lowercase, as defined by the Internet Assigned Numbers Authority (IANA). See <a target='_blank' href='https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml'>Protocol Numbers</a>. For example: <code>tcp</code> or <code>udp</code>.",
"type": "string_t"
},
"protocol_num": {
"requirement": "recommended",
"caption": "Protocol Number",
"description": "The TCP/IP protocol number, as defined by the Internet Assigned Numbers Authority (IANA). Use -1 if the protocol is not defined by IANA. See <a target='_blank' href='https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml'>Protocol Numbers</a>. For example: <code>6</code> for TCP and <code>17</code> for UDP.",
"type": "integer_t"
},
"protocol_ver": {
"caption": "IP Version",
"description": "The Internet Protocol version.",
"requirement": "optional",
"type": "string_t"
},
"protocol_ver_id": {
"caption": "IP Version ID",
"description": "The Internet Protocol version identifier.",
"enum": {
"0": {
"caption": "Unknown",
"description": "The protocol version is unknown."
},
"4": {
"caption": "Internet Protocol version 4 (IPv4)"
},
"6": {
"caption": "Internet Protocol version 6 (IPv6)"
},
"99": {
"caption": "Other",
"description": "The protocol version is not mapped. See the <code>protocol_ver</code> attribute, which contains a data source specific value."
}
},
"requirement": "recommended",
"sibling": "protocol_ver",
"type": "integer_t"
},
"session": {
"requirement": "optional",
"caption": "Session",
"description": "The authenticated user or service session.",
"type": "session"
},
"tcp_flags": {
"requirement": "optional",
"caption": "TCP Flags",
"description": "The network connection TCP header flags (i.e., control bits).",
"type": "integer_t"
},
"uid": {
"caption": "Connection UID",
"description": "The unique identifier of the connection.",
"requirement": "recommended",
"type": "string_t"
},
"raw_data": {
"group": "context",
"caption": "Raw Data",
"description": "The event data as received from the event source.",
"type": "json_t"
},
"record_id": {
"description": "Unique identifier for the object",
"group": "primary",
"requirement": "required",
"caption": "Record ID",
"type": "string_t"
},
"unmapped": {
"caption": "Unmapped Data",
"description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.",
"type": "unmapped",
"is_array": true
}
}
}