Flow
A sequence of packets from a source computer to a destination, which may be another host, a multicast group, or a broadcast domain. This may be captured at network or host level.
Actions
|Action|Description| |—|—| |end|The event corresponding to the ending of collection of flow data in a given time period.| |message|A flow message pertains to any event between start and end when content is sent over the connection (may imply TCP). This often implies use of traffic content collected via PCAP or a similar mechanism.| |start|The event corresponding to the beginning of collection of flow data in a given time period.|
Fields
|Field|Description|Example|
|—|—|—|
application_protocol|Name of the layer 7 protocol contained within the flow.|HTTP
content|The ASCII printable characters of the flow. This corresponds to content from PCAP data or similar formats.|GET https://www.google.com/ HTTP/1.1
dest_fqdn|The fully qualified domain name that corresponds to dest_ip.|dest_example.example.com
dest_hostname|The hostname that corresponds to dest_ip.|dest_example
dest_ip|The destination IP address of the flow.|192.168.1.5
dest_port|The destination port of the flow.|192.168.1.5
end_time|The datetime stamp, in UTC, when the flow ended.|05/15/2015 03:59:53.176 AM
exe|The basename of the image_path. This will need to be collected from the host.|Chrome.exe
fqdn|The fully qualified domain name of the host. Contains the hostname appended with the domain.|HOST1.EXAMPLE_DOMAIN.COM
hostname|The hostname of the host, without the domain.|HOST1
image_path|The file system path of the process that opened the flow. This will need to be collected from the host.|C:\path\to\example.exe
in_bytes|Integer value of total number of bytes received.|13200
network_direction|Direction of the original of the flow initiator, relative to network perimiter.|in (flow originated outside the network and was directed into it)
out_bytes|Integer value of total number of bytes sent.|1337
packet_count|The total packet count seen at time of logging.|4
pid|The total packet count seen at time of logging.|738
ppid|The process ID for the process’s parent that owns the socket responsible for the flow, represented in decimal notation. This will need to be collected from the host.|1860
proto_info|A text decoded version of traffic in the flow specific to the protocol. The application layer information from the flow parsed according to the protocol in question. For instance, SMB information or HTTP headers and content.|SMB2 Write Request Len:165 Off:0 Fileusername\private\filename.pptx, SRVSVC NetShareGetInfo response
src_fqdn|The fully qualified domain name that corresponds to src_ip.|src_domain.example.com
src_hostname|The hostname that corresponds to src_ip.|src_example
src_ip|The source IP address of the flow.|10.0.0.54
src_port|The source port of the flow.|50438
start_time|The starting time date stamp, in UTC, of the flow data.|05/14/2015 11:59:59 PM
tcp_flags|flags turned on in the TCP header.|ACK, PSH
transport_protocol|Layer 4 protocol contained within the flow.|TCP
uid|User ID or SID of the flow-handling entity.|S-1-5-18
user|The user that ran the process.|HOST1\LOCALUSER
Coverage Map
| application_protocol | content | dest_fqdn | dest_hostname | dest_ip | dest_port | end_time | exe | fqdn | hostname | image_path | in_bytes | network_direction | out_bytes | packet_count | pid | ppid | proto_info | src_fqdn | src_hostname | src_ip | src_port | start_time | tcp_flags | transport_protocol | uid | user | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| end | |||||||||||||||||||||||||||
| message | |||||||||||||||||||||||||||
| start | Sysmon | Sysmon | Sysmon | Sysmon | Sysmon | Sysmon | Sysmon | Sysmon | Sysmon | Sysmon | Sysmon | Sysmon | Sysmon | Sysmon | Sysmon |