diff --git a/README.md b/README.md index 25ee7007f2..1e995da461 100644 --- a/README.md +++ b/README.md @@ -286,10 +286,14 @@ Fields related to network data. | `network.protocol` | Network protocol name. | keyword | | `http` | | `network.direction` | Direction of the network traffic.
Recommended values are:
* inbound
* outbound
* unknown | keyword | | `inbound` | | `network.forwarded_ip` | Host IP address when the source IP address is the proxy. | ip | | `192.1.1.2` | +| `network.session_id` | This is the session ID or connection ID, a unique identifier for the session /connection. Bro conn.log uid field gets mapped here. | keyword | | `00beeff00d1234` | +| `network.virtual_ip` | The virtual IP associated with a session or connection. Useful when load balancers, firewalls, and routers use a virtual IP to "advertise" a service. | ip | | `192.168.1.1` | | `network.inbound.bytes` | Network inbound bytes. | long | | `184` | | `network.inbound.packets` | Network inbound packets. | long | | `12` | | `network.outbound.bytes` | Network outbound bytes. | long | | `184` | | `network.outbound.packets` | Network outbound packets. | long | | `12` | +| `network.total.bytes` | Network Total bytes: Usually sum (inbound.bytes, outbound.bytes) | long | | `368` | +| `network.total.packets` | Network Total packets: Usually sum (inbound.packets, outbound.packets) | long | | `24` | ## Organization fields diff --git a/schema.csv b/schema.csv index 70243749ed..5b678cdb67 100644 --- a/schema.csv +++ b/schema.csv @@ -98,6 +98,10 @@ network.inbound.packets,long,0,12 network.outbound.bytes,long,0,184 network.outbound.packets,long,0,12 network.protocol,keyword,0,http +network.session_id,keyword,0,00beeff00d1234 +network.total.bytes,long,0,368 +network.total.packets,long,0,24 +network.virtual_ip,ip,0,192.168.1.1 organization.id,keyword,0, organization.name,text,0, os.family,keyword,0,debian diff --git a/schemas/network.yml b/schemas/network.yml index cb01d03cab..cb70a578df 100644 --- a/schemas/network.yml +++ b/schemas/network.yml @@ -27,6 +27,22 @@ Host IP address when the source IP address is the proxy. example: 192.1.1.2 + - name: session_id + type: keyword + description: > + This is the session ID or connection ID, + a unique identifier for the session /connection. + Bro conn.log uid field gets mapped here. + example: 00beeff00d1234 + + - name: virtual_ip + type: ip + description: > + The virtual IP associated with a session or connection. + Useful when load balancers, firewalls, and routers use a + virtual IP to "advertise" a service. + example: 192.168.1.1 + # Metrics - name: inbound.bytes type: long @@ -48,3 +64,13 @@ description: > Network outbound packets. example: 12 + - name: total.bytes + type: long + description: > + Network Total bytes: Usually sum (inbound.bytes, outbound.bytes) + example: 368 + - name: total.packets + type: long + description: > + Network Total packets: Usually sum (inbound.packets, outbound.packets) + example: 24 diff --git a/template.json b/template.json index bb53819a73..f09b55a4e4 100644 --- a/template.json +++ b/template.json @@ -510,6 +510,23 @@ "protocol": { "ignore_above": 1024, "type": "keyword" + }, + "session_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "total": { + "properties": { + "bytes": { + "type": "long" + }, + "packets": { + "type": "long" + } + } + }, + "virtual_ip": { + "type": "ip" } } },