Network Connection Information Object

The Network Connection Information object describes characteristics of an OSI Transport Layer communication, including TCP and UDP.
References
Name Caption Requirement Type Description
boundary Boundary Optional String The boundary of the connection, normalized to the caption of 'boundary_id'. In the case of 'Other', it is defined by the event source.

For cloud connections, this translates to the traffic-boundary(same VPC, through IGW, etc.). For traditional networks, this is described as Local, Internal, or External.

This is the string sibling of enum attribute boundary_id.
boundary_id Boundary ID Recommended Integer

The normalized identifier of the boundary of the connection.

For cloud connections, this translates to the traffic-boundary (same VPC, through IGW, etc.). For traditional networks, this is described as Local, Internal, or External.

0Unknown
The connection boundary is unknown.
1Localhost
Local network traffic on the same endpoint.
2Internal
Internal network traffic between two endpoints inside network.
3External
External network traffic between two endpoints on the Internet or outside the network.
4Same VPC
Through another resource in the same VPC
5Internet/VPC Gateway
Through an Internet gateway or a gateway VPC endpoint
6Virtual Private Gateway
Through a virtual private gateway
7Intra-region VPC
Through an intra-region VPC peering connection
8Inter-region VPC
Through an inter-region VPC peering connection
9Local Gateway
Through a local gateway
10Gateway VPC
Through a gateway VPC endpoint (Nitro-based instances only)
11Internet Gateway
Through an Internet gateway (Nitro-based instances only)
99Other
The boundary is not mapped. See the boundary attribute, which contains a data source specific value.
This is an enum attribute; its string sibling is boundary.
community_uid Community ID Optional String The Community ID of the network connection.

Source
community_id
Refs:Community ID definition.
direction Direction Optional String The direction of the initiated connection, traffic, or email, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source.
This is the string sibling of enum attribute direction_id.
direction_id Direction ID Required Integer The normalized identifier of the direction of the initiated connection, traffic, or email.
0Unknown
The connection direction is unknown.
1Inbound
Inbound network connection. The connection originated from the Internet or outside network, destined for services on the inside network.
2Outbound
Outbound network connection. The connection originated from inside the network, destined for services on the Internet or outside network.
3Lateral
Lateral network connection. The connection originated from inside the network, destined for services on the inside network.
4Local
Local network connection (localhost). The connection is intra-device, originating from and destined for services running on the same device.
99Other
The direction is not mapped. See the direction attribute, which contains a data source specific value.
This is an enum attribute; its string sibling is direction.
flag_history Connection Flag History Optional String The Connection Flag History summarizes events in a network connection. For example flags ShAD representing SYN, SYN/ACK, ACK and Data exchange.

Refs:Zeek History
protocol_name Protocol Name Recommended String The IP protocol name in lowercase, as defined by the Internet Assigned Numbers Authority (IANA). For example: tcp or udp.

Refs:IANA Protocol Numbers
protocol_num Protocol Number Recommended Integer The IP protocol number, as defined by the Internet Assigned Numbers Authority (IANA). For example: 6 for TCP and 17 for UDP.

Refs:IANA Protocol Numbers
protocol_ver IP Version Optional String The Internet Protocol version.
This is the string sibling of enum attribute protocol_ver_id.
protocol_ver_id IP Version ID Recommended Integer The Internet Protocol version identifier.
0Unknown
The protocol version is unknown.
4Internet Protocol version 4 (IPv4)
6Internet Protocol version 6 (IPv6)
99Other
The protocol version is not mapped. See the protocol_ver attribute, which contains a data source specific value.
This is an enum attribute; its string sibling is protocol_ver.
session Session Optional Session The authenticated user or service session.
tcp_flags TCP Flags Optional Integer The network connection TCP header flags (i.e., control bits).
uid Connection UID Recommended String The unique identifier of the connection.
Airborne Broadcast Activity Class
Attribute: connection_info
DHCP Activity Class
Attributes: connection_info, proxy_connection_info
DNS Activity Class
Attributes: connection_info, proxy_connection_info
Drone Flights Activity Class
Attribute: connection_info
FTP Activity Class
Attributes: connection_info, proxy_connection_info
File Hosting Activity Class
Attribute: connection_info
HTTP Activity Class
Attributes: connection_info, proxy_connection_info
NTP Activity Class
Attributes: connection_info, proxy_connection_info
Network Activity Class
Attributes: connection_info, proxy_connection_info
Network Connection Query Class D
Attribute: connection_info
Network File Activity Class D
Attributes: connection_info, proxy_connection_info
Network Remediation Activity Class
Attribute: connection_info
RDP Activity Class
Attributes: connection_info, proxy_connection_info
SMB Activity Class
Attributes: connection_info, proxy_connection_info
SSH Activity Class
Attributes: connection_info, proxy_connection_info
Tunnel Activity Class
Attributes: connection_info, proxy_connection_info
Web Resource Access Activity Class D
Attribute: proxy_connection_info
Web Resources Activity Class
Attribute: proxy_connection_info
Evidence Artifacts Object
Attribute: connection_info
Query Evidence Object
Attribute: connection_info