diff --git a/README.md b/README.md
index 25ee7007f2..1e995da461 100644
--- a/README.md
+++ b/README.md
@@ -286,10 +286,14 @@ Fields related to network data.
| `network.protocol` | Network protocol name. | keyword | | `http` |
| `network.direction` | Direction of the network traffic.
Recommended values are:
* inbound
* outbound
* unknown | keyword | | `inbound` |
| `network.forwarded_ip` | Host IP address when the source IP address is the proxy. | ip | | `192.1.1.2` |
+| `network.session_id` | This is the session ID or connection ID, a unique identifier for the session /connection. Bro conn.log uid field gets mapped here. | keyword | | `00beeff00d1234` |
+| `network.virtual_ip` | The virtual IP associated with a session or connection. Useful when load balancers, firewalls, and routers use a virtual IP to "advertise" a service. | ip | | `192.168.1.1` |
| `network.inbound.bytes` | Network inbound bytes. | long | | `184` |
| `network.inbound.packets` | Network inbound packets. | long | | `12` |
| `network.outbound.bytes` | Network outbound bytes. | long | | `184` |
| `network.outbound.packets` | Network outbound packets. | long | | `12` |
+| `network.total.bytes` | Network Total bytes: Usually sum (inbound.bytes, outbound.bytes) | long | | `368` |
+| `network.total.packets` | Network Total packets: Usually sum (inbound.packets, outbound.packets) | long | | `24` |
## Organization fields
diff --git a/schema.csv b/schema.csv
index 70243749ed..5b678cdb67 100644
--- a/schema.csv
+++ b/schema.csv
@@ -98,6 +98,10 @@ network.inbound.packets,long,0,12
network.outbound.bytes,long,0,184
network.outbound.packets,long,0,12
network.protocol,keyword,0,http
+network.session_id,keyword,0,00beeff00d1234
+network.total.bytes,long,0,368
+network.total.packets,long,0,24
+network.virtual_ip,ip,0,192.168.1.1
organization.id,keyword,0,
organization.name,text,0,
os.family,keyword,0,debian
diff --git a/schemas/network.yml b/schemas/network.yml
index cb01d03cab..cb70a578df 100644
--- a/schemas/network.yml
+++ b/schemas/network.yml
@@ -27,6 +27,22 @@
Host IP address when the source IP address is the proxy.
example: 192.1.1.2
+ - name: session_id
+ type: keyword
+ description: >
+ This is the session ID or connection ID,
+ a unique identifier for the session /connection.
+ Bro conn.log uid field gets mapped here.
+ example: 00beeff00d1234
+
+ - name: virtual_ip
+ type: ip
+ description: >
+ The virtual IP associated with a session or connection.
+ Useful when load balancers, firewalls, and routers use a
+ virtual IP to "advertise" a service.
+ example: 192.168.1.1
+
# Metrics
- name: inbound.bytes
type: long
@@ -48,3 +64,13 @@
description: >
Network outbound packets.
example: 12
+ - name: total.bytes
+ type: long
+ description: >
+ Network Total bytes: Usually sum (inbound.bytes, outbound.bytes)
+ example: 368
+ - name: total.packets
+ type: long
+ description: >
+ Network Total packets: Usually sum (inbound.packets, outbound.packets)
+ example: 24
diff --git a/template.json b/template.json
index bb53819a73..f09b55a4e4 100644
--- a/template.json
+++ b/template.json
@@ -510,6 +510,23 @@
"protocol": {
"ignore_above": 1024,
"type": "keyword"
+ },
+ "session_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "total": {
+ "properties": {
+ "bytes": {
+ "type": "long"
+ },
+ "packets": {
+ "type": "long"
+ }
+ }
+ },
+ "virtual_ip": {
+ "type": "ip"
}
}
},