- JSON representation
- Ftp
- Dns
- Question
- ResourceRecord
- Dhcp
- Option
- Http
- Tls
- Client
- Certificate
- Server
- Smtp
A network event.
| JSON representation |
|---|
{ "sent_bytes": string, "received_bytes": string, "sent_packets": string, "received_packets": string, "session_duration": string, "session_id": string, "parent_session_id": string, "application_protocol_version": string, "community_id": string, "direction": enum ( |
| Fields | |
|---|---|
sent_bytes |
The number of bytes sent. |
received_bytes |
The number of bytes received. |
sent_packets |
The number of packets sent. |
received_packets |
The number of packets received. |
session_duration |
The duration of the session as the number of seconds and nanoseconds. For seconds, network.session_duration.seconds, the type is a 64-bit integer. For nanoseconds, network.session_duration.nanos, the type is a 32-bit integer. A duration in seconds with up to nine fractional digits, ending with ' |
session_id |
The ID of the network session. |
parent_session_id |
The ID of the parent network session. |
application_protocol_version |
The version of the application protocol. e.g. "1.1, 2.0" |
community_id |
Community ID network flow value. |
direction |
The direction of network traffic. |
ip_protocol |
The IP protocol. |
application_protocol |
The application protocol. |
ftp |
FTP info. |
email |
Email info for the sender/recipient. |
dns |
DNS info. |
dhcp |
DHCP info. |
http |
HTTP info. |
tls |
TLS info. |
smtp |
SMTP info. Store fields specific to SMTP not covered by Email. |
asn |
Autonomous system number. |
dns_domain |
DNS domain name. |
carrier_name |
Carrier identification. |
organization_name |
Organization name (e.g Google). |
ip_subnet_range |
Associated human-readable IP subnet range (e.g. 10.1.2.0/24). |
Ftp
FTP info.
| JSON representation |
|---|
{ "command": string } |
| Fields | |
|---|---|
command |
The FTP command. |
Email info.
| JSON representation |
|---|
{ "from": string, "reply_to": string, "to": [ string ], "cc": [ string ], "bcc": [ string ], "mail_id": string, "subject": [ string ], "bounce_address": string } |
| Fields | |
|---|---|
from |
The 'from' address. |
reply_to |
The 'reply to' address. |
to[] |
A list of 'to' addresses. |
cc[] |
A list of 'cc' addresses. |
bcc[] |
A list of 'bcc' addresses. |
mail_id |
The mail (or message) ID. |
subject[] |
The subject line(s) of the email. |
bounce_address |
The envelope from address. https://en.wikipedia.org/wiki/Bounce_address |
Dns
DNS information.
| JSON representation |
|---|
{ "id": integer, "response": boolean, "opcode": integer, "authoritative": boolean, "truncated": boolean, "recursion_desired": boolean, "recursion_available": boolean, "response_code": integer, "questions": [ { object ( |
| Fields | |
|---|---|
id |
DNS query id. |
response |
Set to true if the event is a DNS response. See QR field from RFC1035. |
opcode |
The DNS OpCode used to specify the type of DNS query (for example, QUERY, IQUERY, or STATUS). |
authoritative |
Other DNS header flags. See RFC1035, section 4.1.1. |
truncated |
Whether the DNS response was truncated. |
recursion_desired |
Whether a recursive DNS lookup is desired. |
recursion_available |
Whether a recursive DNS lookup is available. |
response_code |
Response code. See RCODE from RFC1035. |
questions[] |
A list of domain protocol message questions. |
answers[] |
A list of answers to the domain name query. |
authority[] |
A list of domain name servers which verified the answers to the domain name queries. |
additional[] |
A list of additional domain name servers that can be used to verify the answer to the domain. |
Question
DNS Questions. See RFC1035, section 4.1.2.
| JSON representation |
|---|
{
"name": string,
"type": integer,
"class": integer,
"prevalence": {
object ( |
| Fields | |
|---|---|
name |
The domain name. |
type |
The code specifying the type of the query. |
class |
The code specifying the class of the query. |
prevalence |
The prevalence of the domain within the customer's environment. |
ResourceRecord
DNS Resource Records. See RFC1035, section 4.1.3.
| JSON representation |
|---|
{ "name": string, "type": integer, "class": integer, "ttl": integer, "data": string, "binary_data": string } |
| Fields | |
|---|---|
name |
The name of the owner of the resource record. |
type |
The code specifying the type of the resource record. |
class |
The code specifying the class of the resource record. |
ttl |
The time interval for which the resource record can be cached before the source of the information should again be queried. |
data |
The payload or response to the DNS question for all responses encoded in UTF-8 format |
binary_data |
The raw bytes of any non-UTF8 strings that might be included as part of a DNS response. A base64-encoded string. |
Dhcp
DHCP information.
| JSON representation |
|---|
{ "opcode": enum ( |
| Fields | |
|---|---|
opcode |
The BOOTP op code. |
htype |
Hardware address type. |
hlen |
Hardware address length. |
hops |
Hardware ops. |
transaction_id |
Transaction ID. |
seconds |
Seconds elapsed since client began address acquisition/renewal process. |
flags |
Flags. |
ciaddr |
Client IP address (ciaddr). |
yiaddr |
Your IP address (yiaddr). |
siaddr |
IP address of the next bootstrap server. |
giaddr |
Relay agent IP address (giaddr). |
chaddr |
Client hardware address (chaddr). |
sname |
Server name that the client wishes to boot from. |
file |
Boot image filename. |
options[] |
List of DHCP options. |
type |
DHCP message type. |
lease_time_seconds |
Lease time in seconds. See RFC2132, section 9.2. |
client_hostname |
Client hostname. See RFC2132, section 3.14. |
client_identifier |
Client identifier. See RFC2132, section 9.14. Note: Make sure to update the client_identifier_string field as well if you update this field. A base64-encoded string. |
requested_address |
Requested IP address. See RFC2132, section 9.1. |
client_identifier_string |
Client identifier as string. See RFC2132, section 9.14. This field holds the string value of the client_identifier. |
Option
DHCP options.
| JSON representation |
|---|
{ "code": integer, "data": string } |
| Fields | |
|---|---|
code |
Code. See RFC1533. |
data |
Data. A base64-encoded string. |
Http
Specify the full URL of the HTTP request within "target". Also specify any uploaded or downloaded file information within "source" or "target".
| JSON representation |
|---|
{
"method": string,
"referral_url": string,
"user_agent": string,
"response_code": integer,
"parsed_user_agent": {
object ( |
| Fields | |
|---|---|
method |
The HTTP request method (e.g. "GET", "POST", "PATCH", "DELETE"). |
referral_url |
The URL for the HTTP referer. |
user_agent |
The User-Agent request header which includes the application type, operating system, software vendor or software version of the requesting software user agent. |
response_code |
The response status code, for example 200, 302, 404, or 500. |
parsed_user_agent |
The parsed user_agent string. |
Tls
Transport Layer Security (TLS) information.
| JSON representation |
|---|
{ "client": { object ( |
| Fields | |
|---|---|
client |
Certificate information for the client certificate. |
server |
Certificate information for the server certificate. |
cipher |
Cipher used during the connection. |
curve |
Elliptical curve used for a given cipher. |
version |
TLS version. |
version_protocol |
Protocol. |
established |
Indicates whether the TLS negotiation was successful. |
next_protocol |
Protocol to be used for tunnel. |
resumed |
Indicates whether the TLS connection was resumed from a previous TLS negotiation. |
Client
Transport Layer Security (TLS) information associated with the client (for example, Certificate or JA3 hash).
| JSON representation |
|---|
{
"certificate": {
object ( |
| Fields | |
|---|---|
certificate |
Client certificate. |
ja3 |
JA3 hash from the TLS ClientHello, as a hex-encoded string. |
server_name |
Host name of the server, that the client is connecting to. |
supported_ciphers[] |
Ciphers supported by the client during client hello. |
Certificate
Certificate information
| JSON representation |
|---|
{ "version": string, "serial": string, "subject": string, "issuer": string, "md5": string, "sha1": string, "sha256": string, "not_before": string, "not_after": string } |
| Fields | |
|---|---|
version |
Certificate version. |
serial |
Certificate serial number. |
subject |
Subject of the certificate. |
issuer |
Issuer of the certificate. |
md5 |
The MD5 hash of the certificate, as a hex-encoded string. |
sha1 |
The SHA1 hash of the certificate, as a hex-encoded string. |
sha256 |
The SHA256 hash of the certificate, as a hex-encoded string. |
not_before |
Indicates when the certificate is first valid. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
not_after |
Indicates when the certificate is no longer valid. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
Server
Transport Layer Security (TLS) information associated with the server (for example, Certificate or JA3 hash).
| JSON representation |
|---|
{
"certificate": {
object ( |
| Fields | |
|---|---|
certificate |
Server certificate. |
ja3s |
JA3 hash from the TLS ServerHello, as a hex-encoded string. |
Smtp
SMTP info. See RFC 2821.
| JSON representation |
|---|
{ "helo": string, "mail_from": string, "rcpt_to": [ string ], "server_response": [ string ], "message_path": string, "is_webmail": boolean, "is_tls": boolean } |
| Fields | |
|---|---|
helo |
The client's 'HELO'/'EHLO' string. |
mail_from |
The client's 'MAIL FROM' string. |
rcpt_to[] |
The client's 'RCPT TO' string(s). |
server_response[] |
The server's response(s) to the client. |
message_path |
The message's path (extracted from the headers). |
is_webmail |
If the message was sent via a webmail client. |
is_tls |
If the connection switched to TLS. |