Open Cybersecurity Schema Framework

Network Connection Information Object

The Network Connection Information object describes characteristics of a network connection. Defined by D3FEND d3f:NetworkSession.

Name Caption Requirement Type Description

boundary

Boundary

Optional

String

The boundary of the connection, normalized to the caption of 'boundary_id'. In the case of 'Other', it is defined by the event source.

For cloud connections, this translates to the traffic-boundary(same VPC, through IGW, etc.). For traditional networks, this is described as Local, Internal, or External.

This is the string sibling of enum attribute boundary_id.

boundary_id

Boundary ID

Recommended

Integer

The normalized identifier of the boundary of the connection.

For cloud connections, this translates to the traffic-boundary (same VPC, through IGW, etc.). For traditional networks, this is described as Local, Internal, or External.

`0`	Unknown The connection boundary is unknown.
`1`	Localhost Local network traffic on the same endpoint.
`2`	Internal Internal network traffic between two endpoints inside network.
`3`	External External network traffic between two endpoints on the Internet or outside the network.
`4`	Same VPC Through another resource in the same VPC
`5`	Internet/VPC Gateway Through an Internet gateway or a gateway VPC endpoint
`6`	Virtual Private Gateway Through a virtual private gateway
`7`	Intra-region VPC Through an intra-region VPC peering connection
`8`	Inter-region VPC Through an inter-region VPC peering connection
`9`	Local Gateway Through a local gateway
`10`	Gateway VPC Through a gateway VPC endpoint (Nitro-based instances only)
`11`	Internet Gateway Through an Internet gateway (Nitro-based instances only)
`99`	Other The boundary is not mapped. See the `boundary` attribute, which contains a data source specific value.

This is an enum attribute; its string sibling is boundary.

direction

Direction

Optional

String

The direction of the initiated connection, traffic, or email, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source.

This is the string sibling of enum attribute direction_id.

direction_id

Direction ID

Required

Integer

The normalized identifier of the direction of the initiated connection, traffic, or email.

`0`	Unknown The connection direction is unknown.
`1`	Inbound Inbound network connection. The connection was originated from the Internet or outside network, destined for services on the inside network.
`2`	Outbound Outbound network connection. The connection was originated from inside the network, destined for services on the Internet or outside network.
`3`	Lateral Lateral network connection. The connection was originated from inside the network, destined for services on the inside network.
`99`	Other The direction is not mapped. See the `direction` attribute, which contains a data source specific value.

This is an enum attribute; its string sibling is direction.

protocol_name Protocol Name Recommended String The TCP/IP protocol name in lowercase, as defined by the Internet Assigned Numbers Authority (IANA). See Protocol Numbers. For example: tcp or udp.

protocol_num Protocol Number Recommended Integer The TCP/IP protocol number, as defined by the Internet Assigned Numbers Authority (IANA). Use -1 if the protocol is not defined by IANA. See Protocol Numbers. For example: 6 for TCP and 17 for UDP.

protocol_ver

IP Version

Optional

String

The Internet Protocol version.

This is the string sibling of enum attribute protocol_ver_id.

protocol_ver_id

IP Version ID

Recommended

Integer

The Internet Protocol version identifier.

`0`	Unknown The protocol version is unknown.
`4`	Internet Protocol version 4 (IPv4)
`6`	Internet Protocol version 6 (IPv6)
`99`	Other The protocol version is not mapped. See the `protocol_ver` attribute, which contains a data source specific value.

This is an enum attribute; its string sibling is protocol_ver.

session Session Optional Session The authenticated user or service session.

tcp_flags TCP Flags Optional Integer The network connection TCP header flags (i.e., control bits).

uid Connection UID Recommended String The unique identifier of the connection.

Referenced By

DHCP Activity Class: Attributes: connection_info, proxy_connection_info
DNS Activity Class: Attributes: connection_info, proxy_connection_info
FTP Activity Class: Attributes: connection_info, proxy_connection_info
File Hosting Activity Class: Attribute: connection_info
HTTP Activity Class: Attributes: connection_info, proxy_connection_info
NTP Activity Class: Attributes: connection_info, proxy_connection_info
Network Activity Class: Attributes: connection_info, proxy_connection_info
Network Connection Query Class: Attribute: connection_info
Network File Activity Class ^D: Attributes: connection_info, proxy_connection_info
Network Remediation Activity Class: Attribute: connection_info
RDP Activity Class: Attributes: connection_info, proxy_connection_info
SMB Activity Class: Attributes: connection_info, proxy_connection_info
SSH Activity Class: Attributes: connection_info, proxy_connection_info
Tunnel Activity Class: Attributes: connection_info, proxy_connection_info
Web Resource Access Activity Class ^D: Attribute: proxy_connection_info
Web Resources Activity Class: Attribute: proxy_connection_info

Evidence Artifacts Object: Attribute: connection_info