- JSON representation
- Ftp
- Dns
- Question
- ResourceRecord
- Dhcp
- Option
- Http
- Tls
- Client
- Certificate
- Server
- Smtp
A network event.
| JSON representation |
|---|
{ "sent_bytes" : string , "received_bytes" : string , "sent_packets" : string , "received_packets" : string , "session_duration" : string , "session_id" : string , "parent_session_id" : string , "application_protocol_version" : string , "community_id" : string , "direction" : enum ( |
| Fields | |
|---|---|
sent_bytes
|
The number of bytes sent. |
received_bytes
|
The number of bytes received. |
sent_packets
|
The number of packets sent. |
received_packets
|
The number of packets received. |
session_duration
|
The duration of the session as the number of seconds and nanoseconds. For seconds, network.session_duration.seconds, the type is a 64-bit integer. For nanoseconds, network.session_duration.nanos, the type is a 32-bit integer. A duration in seconds with up to nine fractional digits, ending with ' |
session_id
|
The ID of the network session. |
parent_session_id
|
The ID of the parent network session. |
application_protocol_version
|
The version of the application protocol. e.g. "1.1, 2.0" |
community_id
|
Community ID network flow value. |
direction
|
The direction of network traffic. |
ip_protocol
|
The IP protocol. |
application_protocol
|
The application protocol. |
ftp
|
FTP info. |
email
|
Email info for the sender/recipient. |
dns
|
DNS info. |
dhcp
|
DHCP info. |
http
|
HTTP info. |
tls
|
TLS info. |
smtp
|
SMTP info. Store fields specific to SMTP not covered by Email. |
asn
|
Autonomous system number. |
dns_domain
|
DNS domain name. |
carrier_name
|
Carrier identification. |
organization_name
|
Organization name (e.g Google). |
ip_subnet_range
|
Associated human-readable IP subnet range (e.g. 10.1.2.0/24). |
Ftp
FTP info.
| JSON representation |
|---|
{ "command" : string } |
| Fields | |
|---|---|
command
|
The FTP command. |
Email info.
| JSON representation |
|---|
{ "from" : string , "reply_to" : string , "to" : [ string ] , "cc" : [ string ] , "bcc" : [ string ] , "mail_id" : string , "subject" : [ string ] , "bounce_address" : string } |
| Fields | |
|---|---|
from
|
The 'from' address. |
reply_to
|
The 'reply to' address. |
to[]
|
A list of 'to' addresses. |
cc[]
|
A list of 'cc' addresses. |
bcc[]
|
A list of 'bcc' addresses. |
mail_id
|
The mail (or message) ID. |
subject[]
|
The subject line(s) of the email. |
bounce_address
|
The envelope from address. https://en.wikipedia.org/wiki/Bounce_address |
Dns
DNS information.
| JSON representation |
|---|
{ "id" : integer , "response" : boolean , "opcode" : integer , "authoritative" : boolean , "truncated" : boolean , "recursion_desired" : boolean , "recursion_available" : boolean , "response_code" : integer , "questions" : [ { object ( |
| Fields | |
|---|---|
id
|
DNS query id. |
response
|
Set to true if the event is a DNS response. See QR field from RFC1035. |
opcode
|
The DNS OpCode used to specify the type of DNS query (for example, QUERY, IQUERY, or STATUS). |
authoritative
|
Other DNS header flags. See RFC1035, section 4.1.1. |
truncated
|
Whether the DNS response was truncated. |
recursion_desired
|
Whether a recursive DNS lookup is desired. |
recursion_available
|
Whether a recursive DNS lookup is available. |
response_code
|
Response code. See RCODE from RFC1035. |
questions[]
|
A list of domain protocol message questions. |
answers[]
|
A list of answers to the domain name query. |
authority[]
|
A list of domain name servers which verified the answers to the domain name queries. |
additional[]
|
A list of additional domain name servers that can be used to verify the answer to the domain. |
Question
DNS Questions. See RFC1035, section 4.1.2.
| JSON representation |
|---|
{
"name"
:
string
,
"type"
:
integer
,
"class"
:
integer
,
"prevalence"
:
{
object (
|
| Fields | |
|---|---|
name
|
The domain name. |
type
|
The code specifying the type of the query. |
class
|
The code specifying the class of the query. |
prevalence
|
The prevalence of the domain within the customer's environment. |
ResourceRecord
DNS Resource Records. See RFC1035, section 4.1.3.
| JSON representation |
|---|
{ "name" : string , "type" : integer , "class" : integer , "ttl" : integer , "data" : string , "binary_data" : string } |
| Fields | |
|---|---|
name
|
The name of the owner of the resource record. |
type
|
The code specifying the type of the resource record. |
class
|
The code specifying the class of the resource record. |
ttl
|
The time interval for which the resource record can be cached before the source of the information should again be queried. |
data
|
The payload or response to the DNS question for all responses encoded in UTF-8 format |
binary_data
|
The raw bytes of any non-UTF8 strings that might be included as part of a DNS response. A base64-encoded string. |
Dhcp
DHCP information.
| JSON representation |
|---|
{ "opcode" : enum ( |
| Fields | |
|---|---|
opcode
|
The BOOTP op code. |
htype
|
Hardware address type. |
hlen
|
Hardware address length. |
hops
|
Hardware ops. |
transaction_id
|
Transaction ID. |
seconds
|
Seconds elapsed since client began address acquisition/renewal process. |
flags
|
Flags. |
ciaddr
|
Client IP address (ciaddr). |
yiaddr
|
Your IP address (yiaddr). |
siaddr
|
IP address of the next bootstrap server. |
giaddr
|
Relay agent IP address (giaddr). |
chaddr
|
Client hardware address (chaddr). |
sname
|
Server name that the client wishes to boot from. |
file
|
Boot image filename. |
options[]
|
List of DHCP options. |
type
|
DHCP message type. |
lease_time_seconds
|
Lease time in seconds. See RFC2132, section 9.2. |
client_hostname
|
Client hostname. See RFC2132, section 3.14. |
client_identifier
|
Client identifier. See RFC2132, section 9.14. Note: Make sure to update the client_identifier_string field as well if you update this field. A base64-encoded string. |
requested_address
|
Requested IP address. See RFC2132, section 9.1. |
client_identifier_string
|
Client identifier as string. See RFC2132, section 9.14. This field holds the string value of the client_identifier. |
Option
DHCP options.
| JSON representation |
|---|
{ "code" : integer , "data" : string } |
| Fields | |
|---|---|
code
|
Code. See RFC1533. |
data
|
Data. A base64-encoded string. |
Http
Specify the full URL of the HTTP request within "target". Also specify any uploaded or downloaded file information within "source" or "target".
| JSON representation |
|---|
{
"method"
:
string
,
"referral_url"
:
string
,
"user_agent"
:
string
,
"response_code"
:
integer
,
"parsed_user_agent"
:
{
object (
|
| Fields | |
|---|---|
method
|
The HTTP request method (e.g. "GET", "POST", "PATCH", "DELETE"). |
referral_url
|
The URL for the HTTP referer. |
user_agent
|
The User-Agent request header which includes the application type, operating system, software vendor or software version of the requesting software user agent. |
response_code
|
The response status code, for example 200, 302, 404, or 500. |
parsed_user_agent
|
The parsed user_agent string. |
Tls
Transport Layer Security (TLS) information.
| JSON representation |
|---|
{ "client" : { object ( |
| Fields | |
|---|---|
client
|
Certificate information for the client certificate. |
server
|
Certificate information for the server certificate. |
cipher
|
Cipher used during the connection. |
curve
|
Elliptical curve used for a given cipher. |
version
|
TLS version. |
version_protocol
|
Protocol. |
established
|
Indicates whether the TLS negotiation was successful. |
next_protocol
|
Protocol to be used for tunnel. |
resumed
|
Indicates whether the TLS connection was resumed from a previous TLS negotiation. |
Client
Transport Layer Security (TLS) information associated with the client (for example, Certificate or JA3 hash).
| JSON representation |
|---|
{
"certificate"
:
{
object (
|
| Fields | |
|---|---|
certificate
|
Client certificate. |
ja3
|
JA3 hash from the TLS ClientHello, as a hex-encoded string. |
server_name
|
Host name of the server, that the client is connecting to. |
supported_ciphers[]
|
Ciphers supported by the client during client hello. |
Certificate
Certificate information
| JSON representation |
|---|
{ "version" : string , "serial" : string , "subject" : string , "issuer" : string , "md5" : string , "sha1" : string , "sha256" : string , "not_before" : string , "not_after" : string } |
| Fields | |
|---|---|
version
|
Certificate version. |
serial
|
Certificate serial number. |
subject
|
Subject of the certificate. |
issuer
|
Issuer of the certificate. |
md5
|
The MD5 hash of the certificate, as a hex-encoded string. |
sha1
|
The SHA1 hash of the certificate, as a hex-encoded string. |
sha256
|
The SHA256 hash of the certificate, as a hex-encoded string. |
not_before
|
Indicates when the certificate is first valid. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
not_after
|
Indicates when the certificate is no longer valid. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
Server
Transport Layer Security (TLS) information associated with the server (for example, Certificate or JA3 hash).
| JSON representation |
|---|
{
"certificate"
:
{
object (
|
| Fields | |
|---|---|
certificate
|
Server certificate. |
ja3s
|
JA3 hash from the TLS ServerHello, as a hex-encoded string. |
Smtp
SMTP info. See RFC 2821.
| JSON representation |
|---|
{ "helo" : string , "mail_from" : string , "rcpt_to" : [ string ] , "server_response" : [ string ] , "message_path" : string , "is_webmail" : boolean , "is_tls" : boolean } |
| Fields | |
|---|---|
helo
|
The client's 'HELO'/'EHLO' string. |
mail_from
|
The client's 'MAIL FROM' string. |
rcpt_to[]
|
The client's 'RCPT TO' string(s). |
server_response[]
|
The server's response(s) to the client. |
message_path
|
The message's path (extracted from the headers). |
is_webmail
|
If the message was sent via a webmail client. |
is_tls
|
If the connection switched to TLS. |
