enum NetworkDirection { ingress egress inbound outbound internal external unknown } type Vlan { # VLAN ID as reported by the observer. id:String # Optional VLAN name as reported by the observer. name:String } type Network implements BaseRecord { #'Date/time when the event originated. # # This is the date/time extracted from the event, typically representing when # the event was generated by the source. # # If the event source has no original timestamp, this value is typically populated # by the first time the event was received by the pipeline. # # Required field for all events.' timestamp : Time! #'Custom key/value pairs. # # Can be used to add meta information to events. Should not contain nested objects. # All values are stored as keyword. # # Example: '{"application": "foo-bar", "env": "production"}' labels : JSON # 'For log events the message field contains the log message, optimized # for viewing in a log viewer. # # For structured logs without an original message field, other fields can be # concatenated to form a human-readable summary of the event. # # If multiple messages exist, they can be combined into one message.' message: String # List of keywords used to tag each event. tags: [String] # Key-Value pairs representing vendor specific properties attributes: JSON # Name given by operators to sections of their networ name:String # For application or service being identified from network connection details (source/dest IPs, ports, certificates, or wire format), # this field captures the application’s or service’s name. application:String # Total bytes transferred in both directions. # #If source.bytes and destination.bytes are known, network.bytes is their sum. bytes:Long #Total packets transferred in both directions. networkPackets:Long # A hash of source and destination IPs and ports, as well as the protocol used in a communication. # This is a tool-agnostic standard to identify flows -> Hash[sourceIp:port:destinationIp:Protocol] communityId:String #When mapping events from a host-based monitoring context, populate this field from the host’s point of view, using the values "ingress" or "egress". # #When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". # #Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. # Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. # This could for example be useful for ISPs or VPN service providers. direction:NetworkDirection #Host IP address when the source IP address is the proxy. forwardedIp:IP # IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. ianaNumber:String # Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) transport:String # Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. # Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) inner:JSON # In the OSI Model this would be the Application Layer protocol. For example, http, dns, or ssh. protocol:String # In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc type:String #Fields to describe observed VLAN information. vlan:Vlan @relation(mappingType: "embedded") #Fields to describe observed VLAN information. - flattened inner.vlan innerVlan:Vlan @relation(mappingType: "embedded") description:String }