Netflow Schema🔗
Note
Schema docs show the fields available for normalization. For a schema field to be populated in XDR, its corresponding field defined in the parser must exist in the original data. Normalized data shows in the Normalized Data tab of events and is searchable in XDR only if the corresponding field exists in the original data. The Schema Library in Data Lake Search shows only searchable fields.
| Normalized Field | Type | Parser Field | Description |
|---|---|---|---|
| resource_id | string | resourceId$ | Full resource string identifying the record |
| tenant_id | string | tenantId$ | The ID of the tenant that owns this specific to CTPX ID |
| sensor_type | string | sensorType$ | Type of device that generated this event. Ex: redcloak |
| sensor_event_id | string | sensorEventId$ | Event ID of original_data assigned by the sensor |
| sensor_tenant | string | sensorTenant$ | A customer ID supplied by the application that originated the data. Ex: redloak-domain, ctp-client-id |
| sensor_id | string | sensorId$ | An ID for the data supplied by the application that originated it. Ex: redcloak-agent-id |
| sensor_cpe | string | sensorCpe$ | CPE of the platform producing the alert. Example: cpe:2.3:a:secureworks:redcloak:*:*:*:*:*:*:* |
| original_data | string | originalData$ | Original, unadulterated data prior to any transformation. |
| event_time_usec | uint64 | eventTimeUsec$ | Event time in microseconds (µs) |
| ingest_time_usec | uint64 | ingestTimeUsec$ | Ingest time in microseconds (µs). |
| event_time_fidelity | TimeFidelity | eventTimeFidelity$ | Specifies the original precision of the time used to populate event_time_usec |
| host_id | string | hostId$ | Host ID -- uniquely identifies the host where the event originated. e.g. IPv(4/6) address; Device Mac Address |
| sensor_version | string | sensorVersion$ | The agent version as string. |
| source_mac | string | sourceMac$ | Source MAC Address in text canonical format |
| destination_mac | string | destinationMac$ | Destination MAC Address in text canonical format |
| source_address | string | sourceAddress$ | IP Address of the source |
| destination_address | string | destinationAddress$ | IP Address of the destination |
| source_port | uint32 | sourcePort$ | Port of the source |
| destination_port | uint32 | destinationPort$ | Port of the destination |
| protocol | uint32 | protocol$ | Transfer protocol |
| tx_packet_count | uint64 | txPacketCount$ | Number of packets transferred |
| tx_byte_count | uint64 | txByteCount$ | Number of bytes transferred |
| rx_packet_count | uint64 | rxPacketCount$ | Number of packets received |
| rx_byte_count | uint64 | rxByteCount$ | Number of bytes received |
| direction | Netflow.Direction | direction$ | Direction of the network traffic between the source and destination from the perspective of the sensor. Ex: INBOUND, OUTBOUND |
| start_timestamp_usec | uint64 | startTimestampUsec$ | microseconds of the flow start |
| end_timestamp_usec | uint64 | endTimestampUsec$ | microseconds of the flow end |
| src_ipblacklists | repeated string | srcIpblacklists$ | Provides the names of blacklists matched by the source |
| dest_ipblacklists | repeated string | destIpblacklists$ | Provides the names of blacklists matched by the destination |
| src_ipgeo_summary | GeoSummary | srcIpgeoSummary$ | The geographic location of the source IP |
| dest_ipgeo_summary | GeoSummary | destIpgeoSummary$ | The geographic location of the destination IP |
| source_nat_address | string | sourceNatAddress$ | If Network Address translation is done, what is the source IP used |
| destination_nat_address | string | destinationNatAddress$ | If Network Address translation is done, what is the destination IP used |
| source_nat_port | uint32 | sourceNatPort$ | If Network Address translation is done, what is the source port used |
| destination_nat_port | uint32 | destinationNatPort$ | If Network Address translation is done, what is the destination port used |
| application_name | string | applicationName$ | Application detected by Deep Packet Inspection engine such as PaloAlto's APP-ID |
| flow_action | Netflow.fw_action | flowAction$ | Provides an enum to define what the firewall might have done to the flow, if free form text is needed, see connection_end_reason = 206; 0 - FW_UNKNOWN - Not used. 1 - FW_BLOCKED - Flow dropped (firewall blocked the TCP handshake or the UDP packet) 2 - FW_ALLOWED - Flow was not denied by the firewall. 3 - FW_RESET_CLIENT_TO_SERVER - Firewall sent a RST packet to the server. (TCP probe). 4 - FW_RESET_SERVER_TO_CLIENT - Firewall sent a RST packet to the client. (TCP probe). 5 - FW_RESET_BOTH - Firewall sent a RST packet to both client and server. (TCP probe). 6 - FW_ICMP_CLIENT - ICMP destination host unreachable sent to client. (UDP probe). |
| connection_end_reason | string | connectionEndReason$ | Provides details on why the session ended if flow_action was not enough example: tcp-rst-from-client (Paloalto), TCP Reset - I (ASA) |
| community_id_hash | string | communityIdHash$ | Allows us to relate netflow record to other records like IDS alerts: https://github.com/corelight/community-id-spec{: target="_blank"} |
| event_metadata | KeyValuePairsIndexed | eventMetadata$ | event_metadata can be provided by the data source to add context, such firewall rule name or source interface. |
| processCorrelationID | ProcessCorrelationID | processCorrelationId$ | ProcessCorrelationID of the process creating this netflow session |
| process_image_path | string | processImagePath$ | Image patch of the process initiating this netflow |
Netflow.Direction🔗
| Name | Number | Description |
|---|---|---|
| UNKNOWN | 0 | internal: unused but required for proto3 |
| INBOUND | 1 | The flow is inbound to the source. |
| OUTBOUND | 2 | The flow is outbound to the source. |
| CLIENT_TO_SERVER | 3 | When reported by a firewall, the control will only know who is the initiator (client) of the connection and who is the receiver (server). |
| SERVER_TO_CLIENT | 4 | When reported by a firewall, the control will only know who is the initiator (client) of the connection and who is the receiver (server). |
Netflow.fw_action🔗
Did the firewall appliance allow or deny the traffic, if deny, how?
| Name | Number | Description |
|---|---|---|
| FW_UNKNOWN | 0 | internal: unused but required for proto3 |
| FW_BLOCKED | 1 | Flow dropped (firewall blocked the TCP handshake or the UDP packet) |
| FW_ALLOWED | 2 | Flow was not denied by the firewall. |
| FW_RESET_CLIENT_TO_SERVER | 3 | Firewall sent a RST packet to the server. (TCP probe) |
| FW_RESET_SERVER_TO_CLIENT | 4 | Firewall sent a RST packet to the client. (TCP probe) |
| FW_RESET_BOTH | 5 | Firewall sent a RST packet to both client and server. (TCP probe) |
| FW_ICMP_CLIENT | 6 | ICMP destination host unreachable sent to client. (UDP probe) |