The Network section is designed for monitoring data traffic statistics, attempts to create illegitimate connections, and unauthorized scanning.
- Number of unique destination/source IP addresses
- Statistics of successful/blocked connections
- Dynamics of successful/blocked connections
- Connection statistics by type of transport used
- Connection statistics by destination ports
- Dynamics of the number of connections by transport type
- Top recipients by number of connections/volume of connections/number of unique requested ports
- Event statistics with details by recipients
- Event statistics with details by sources
- Network: Overview
- Network: Traffic Destination Profile
- Network: Traffic Source Profile
The section uses the data source fields described below. Alias used: sm_cs_network_indexes.
| Field Name | Value |
|---|
event.kind | event |
event.category | network |
event.type | allowed | denied | connection | start | end | info |
event.outcome | success | failure | unknown |
event.action | From the source event. |
Source of network traffic.
| Field Name | Value |
|---|
source.ip | IP address of the traffic source. |
source.port | Port of the traffic source. |
Recipient of network traffic.
| Field Name | Value |
|---|
destination.ip | IP address of the traffic recipient. |
destination.port | Port of the traffic recipient. |
| Field Name | Value |
|---|
network.transport | Type of transport. |
network.type | Type or version of the network protocol family (IPv4 | IPv6). |
| Field Name | Value |
|---|
event.original | Original event text. |
| Field Name | Value |
|---|
network.iana_number | Protocol number. |
network.packets | Number of network packets. |
network.bytes | Number of bytes. |
network.direction | Traffic direction. |
Below is a table of dictionaries used by the section.
| Name | Fields | Description |
|---|
sm_cs_network_group_lookup | ip
network_group.name | Dictionary of information resource groups by IP addresses. |
sm_cs_internal_ips | ip
description | Dictionary of internal networks. |