Class: NetworkTraffic
_The Network Traffic Object represents arbitrary network traffic that originates from a source and is addressed to a destination. _
classDiagram
class NetworkTraffic
click NetworkTraffic href "../NetworkTraffic/"
CyberObservableObject <|-- NetworkTraffic
click CyberObservableObject href "../CyberObservableObject/"
NetworkTraffic : defanged
NetworkTraffic : description
NetworkTraffic : dst_byte_count
NetworkTraffic : dst_packets
NetworkTraffic : dst_payload_ref
NetworkTraffic : dst_port
NetworkTraffic : dst_ref
NetworkTraffic : encapsulated_by_ref
NetworkTraffic : encapsulates_refs
NetworkTraffic : end
NetworkTraffic : extensions
NetworkTraffic : granular_markings
NetworkTraffic --> "*" GranularMarking : granular_markings
click GranularMarking href "../GranularMarking/"
NetworkTraffic : id
NetworkTraffic : ipfix
NetworkTraffic : is_active
NetworkTraffic : name
NetworkTraffic : object_marking_refs
NetworkTraffic : protocols
NetworkTraffic : spec_version
NetworkTraffic --> "0..1" SpecVersionEnum : spec_version
click SpecVersionEnum href "../SpecVersionEnum/"
NetworkTraffic : src_byte_count
NetworkTraffic : src_packets
NetworkTraffic : src_payload_ref
NetworkTraffic : src_port
NetworkTraffic : src_ref
NetworkTraffic : start
NetworkTraffic : type
Inheritance
- StixEntity
- CommonSchemaComponent
- CyberObservableCore
- CyberObservableObject
- NetworkTraffic
- CyberObservableObject
- CyberObservableCore
- CommonSchemaComponent
Slots
| Name | Cardinality and Range | Description | Inheritance |
|---|---|---|---|
| start | 0..1 Datetime |
Network traffic start time | direct |
| end | 0..1 Datetime |
Network traffic end time | direct |
| src_ref | 0..1 StixIdentifier |
Source observable reference | direct |
| dst_ref | 0..1 StixIdentifier |
Destination observable reference | direct |
| src_port | 0..1 Integer |
Source port number | direct |
| dst_port | 0..1 Integer |
Destination port number | direct |
| protocols | 1..* String |
Network protocols list | direct |
| src_byte_count | 0..1 Integer |
Bytes sent source to destination | direct |
| dst_byte_count | 0..1 Integer |
Bytes sent destination to source | direct |
| src_packets | 0..1 Integer |
Source-to-destination packet count | direct |
| dst_packets | 0..1 Integer |
Destination-to-source packet count | direct |
| ipfix | 0..1 String |
Specifies any IP Flow Information Export (IPFIX) data for the traffic | direct |
| src_payload_ref | 0..1 StixIdentifier |
Source payload reference | direct |
| dst_payload_ref | 0..1 StixIdentifier |
Destination payload reference | direct |
| encapsulates_refs | * StixIdentifier |
Referenced encapsulated network-traffic objects | direct |
| encapsulated_by_ref | 0..1 StixIdentifier |
Referencing encapsulating network-traffic object | direct |
| is_active | 0..1 Boolean |
Indicates traffic is still active | direct |
| type | 1 StixTypeName |
STIX object type | StixEntity, CyberObservableCore |
| spec_version | 0..1 SpecVersionEnum |
STIX specification version | CyberObservableCore |
| id | 1 StixIdentifier |
STIX object identifier | StixEntity, CyberObservableCore |
| object_marking_refs | * StixIdentifier |
Marking definition references applied to this object | CyberObservableCore |
| granular_markings | * GranularMarking |
Granular markings that apply to selected content | CyberObservableCore |
| defanged | 0..1 Boolean |
Defines whether or not the data contained within the object has been defanged | CyberObservableCore |
| extensions | * String |
Open-ended extension payloads | CyberObservableCore |
| name | 0..1 String |
Human-readable name | StixEntity |
| description | 0..1 String |
Human-readable description | StixEntity |
In Subsets
Comments
- jsonschema_rule: anyOf+oneOf validator_hint: enforce-network-traffic-endpoint-and-active-rules jsonschema_source: https://github.com/oasis-open/cti-stix2-json-schemas/tree/master/schemas/observables/network-traffic.json
Notes
- JSON Schema requires at least one of src_ref or dst_ref and constrains is_active/end combinations.
Identifier and Mapping Information
Schema Source
- from schema: https://w3id.org/lmodel/attack
Mappings
| Mapping Type | Mapped Value |
|---|---|
| self | attack:NetworkTraffic |
| native | attack:NetworkTraffic |
LinkML Source
Direct
name: NetworkTraffic
description: 'The Network Traffic Object represents arbitrary network traffic that
originates from a source and is addressed to a destination. '
notes:
- JSON Schema requires at least one of src_ref or dst_ref and constrains is_active/end
combinations.
comments:
- 'jsonschema_rule: anyOf+oneOf validator_hint: enforce-network-traffic-endpoint-and-active-rules
jsonschema_source: https://github.com/oasis-open/cti-stix2-json-schemas/tree/master/schemas/observables/network-traffic.json'
in_subset:
- observables
from_schema: https://w3id.org/lmodel/attack
is_a: CyberObservableObject
slots:
- start
- end
- src_ref
- dst_ref
- src_port
- dst_port
- protocols
- src_byte_count
- dst_byte_count
- src_packets
- dst_packets
- ipfix
- src_payload_ref
- dst_payload_ref
- encapsulates_refs
- encapsulated_by_ref
- is_active
slot_usage:
id:
name: id
pattern: ^network-traffic--[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$
type:
name: type
pattern: ^network-traffic$
protocols:
name: protocols
comments:
- 'jsonschema_minItems: "1"'
required: true
encapsulates_refs:
name: encapsulates_refs
comments:
- 'jsonschema_minItems: "1"'
Induced
name: NetworkTraffic
description: 'The Network Traffic Object represents arbitrary network traffic that
originates from a source and is addressed to a destination. '
notes:
- JSON Schema requires at least one of src_ref or dst_ref and constrains is_active/end
combinations.
comments:
- 'jsonschema_rule: anyOf+oneOf validator_hint: enforce-network-traffic-endpoint-and-active-rules
jsonschema_source: https://github.com/oasis-open/cti-stix2-json-schemas/tree/master/schemas/observables/network-traffic.json'
in_subset:
- observables
from_schema: https://w3id.org/lmodel/attack
is_a: CyberObservableObject
slot_usage:
id:
name: id
pattern: ^network-traffic--[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$
type:
name: type
pattern: ^network-traffic$
protocols:
name: protocols
comments:
- 'jsonschema_minItems: "1"'
required: true
encapsulates_refs:
name: encapsulates_refs
comments:
- 'jsonschema_minItems: "1"'
attributes:
start:
name: start
description: Network traffic start time.
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: start
owner: NetworkTraffic
domain_of:
- NetworkTraffic
range: datetime
end:
name: end
description: Network traffic end time.
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: end
owner: NetworkTraffic
domain_of:
- NetworkTraffic
range: datetime
src_ref:
name: src_ref
description: Source observable reference.
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: src_ref
owner: NetworkTraffic
domain_of:
- NetworkTraffic
range: stix_identifier
dst_ref:
name: dst_ref
description: Destination observable reference.
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: dst_ref
owner: NetworkTraffic
domain_of:
- NetworkTraffic
range: stix_identifier
src_port:
name: src_port
description: Source port number.
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: src_port
owner: NetworkTraffic
domain_of:
- NetworkTraffic
range: integer
minimum_value: 0
maximum_value: 65535
dst_port:
name: dst_port
description: Destination port number.
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: dst_port
owner: NetworkTraffic
domain_of:
- NetworkTraffic
range: integer
minimum_value: 0
maximum_value: 65535
protocols:
name: protocols
description: Network protocols list.
comments:
- 'jsonschema_minItems: "1"'
from_schema: https://w3id.org/lmodel/attack
related_mappings:
- unified_cyber_ontology:hasFacet
rank: 1000
alias: protocols
owner: NetworkTraffic
domain_of:
- NetworkTraffic
range: string
required: true
multivalued: true
src_byte_count:
name: src_byte_count
description: Bytes sent source to destination.
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: src_byte_count
owner: NetworkTraffic
domain_of:
- NetworkTraffic
range: integer
dst_byte_count:
name: dst_byte_count
description: Bytes sent destination to source.
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: dst_byte_count
owner: NetworkTraffic
domain_of:
- NetworkTraffic
range: integer
src_packets:
name: src_packets
description: Source-to-destination packet count.
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: src_packets
owner: NetworkTraffic
domain_of:
- NetworkTraffic
range: integer
dst_packets:
name: dst_packets
description: Destination-to-source packet count.
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: dst_packets
owner: NetworkTraffic
domain_of:
- NetworkTraffic
range: integer
ipfix:
name: ipfix
description: Specifies any IP Flow Information Export (IPFIX) data for the traffic.
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: ipfix
owner: NetworkTraffic
domain_of:
- NetworkTraffic
range: string
src_payload_ref:
name: src_payload_ref
description: Source payload reference.
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: src_payload_ref
owner: NetworkTraffic
domain_of:
- NetworkTraffic
range: stix_identifier
dst_payload_ref:
name: dst_payload_ref
description: Destination payload reference.
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: dst_payload_ref
owner: NetworkTraffic
domain_of:
- NetworkTraffic
range: stix_identifier
encapsulates_refs:
name: encapsulates_refs
description: Referenced encapsulated network-traffic objects.
comments:
- 'jsonschema_minItems: "1"'
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: encapsulates_refs
owner: NetworkTraffic
domain_of:
- NetworkTraffic
range: stix_identifier
multivalued: true
encapsulated_by_ref:
name: encapsulated_by_ref
description: Referencing encapsulating network-traffic object.
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: encapsulated_by_ref
owner: NetworkTraffic
domain_of:
- NetworkTraffic
range: stix_identifier
is_active:
name: is_active
description: Indicates traffic is still active.
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: is_active
owner: NetworkTraffic
domain_of:
- NetworkTraffic
range: boolean
type:
name: type
description: STIX object type.
from_schema: https://w3id.org/lmodel/attack
related_mappings:
- unified_cyber_ontology:state
rank: 1000
alias: type
owner: NetworkTraffic
domain_of:
- StixEntity
- Bundle
- Core
- CyberObservableCore
- ExtensionDefinition
- LanguageContent
- MarkingDefinition
- File
range: stix_type_name
required: true
pattern: ^network-traffic$
spec_version:
name: spec_version
description: STIX specification version.
from_schema: https://w3id.org/lmodel/attack
close_mappings:
- unified_cyber_ontology:specVersion
rank: 1000
alias: spec_version
owner: NetworkTraffic
domain_of:
- Core
- CyberObservableCore
- MarkingDefinition
range: SpecVersionEnum
id:
name: id
description: STIX object identifier.
from_schema: https://w3id.org/lmodel/attack
related_mappings:
- unified_cyber_ontology:externalReference
rank: 1000
alias: id
owner: NetworkTraffic
domain_of:
- StixEntity
- Bundle
- Core
- CyberObservableCore
- ExtensionDefinition
- LanguageContent
- MarkingDefinition
- File
range: stix_identifier
required: true
pattern: ^network-traffic--[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$
object_marking_refs:
name: object_marking_refs
description: Marking definition references applied to this object.
comments:
- 'jsonschema_minItems: "1"'
from_schema: https://w3id.org/lmodel/attack
close_mappings:
- unified_cyber_ontology:objectMarking
rank: 1000
alias: object_marking_refs
owner: NetworkTraffic
domain_of:
- Core
- CyberObservableCore
- MarkingDefinition
range: stix_identifier
multivalued: true
granular_markings:
name: granular_markings
description: Granular markings that apply to selected content.
comments:
- 'jsonschema_minItems: "1"'
from_schema: https://w3id.org/lmodel/attack
narrow_mappings:
- unified_cyber_ontology:objectMarking
rank: 1000
alias: granular_markings
owner: NetworkTraffic
domain_of:
- Core
- CyberObservableCore
- MarkingDefinition
range: GranularMarking
multivalued: true
defanged:
name: defanged
description: Defines whether or not the data contained within the object has been
defanged.
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: defanged
owner: NetworkTraffic
domain_of:
- CyberObservableCore
range: boolean
extensions:
name: extensions
description: Open-ended extension payloads.
notes:
- JSON Schema uses patternProperties for extension keys; exact key validation
is delegated to validator tooling.
comments:
- 'jsonschema_rule: patternProperties validator_hint: validate-extension-keys-and-values'
from_schema: https://w3id.org/lmodel/attack
related_mappings:
- unified_cyber_ontology:hasFacet
rank: 1000
alias: extensions
owner: NetworkTraffic
domain_of:
- Core
- CyberObservableCore
- MarkingDefinition
- File
range: string
multivalued: true
name:
name: name
description: Human-readable name.
from_schema: https://w3id.org/lmodel/attack
exact_mappings:
- unified_cyber_ontology:name
rank: 1000
alias: name
owner: NetworkTraffic
domain_of:
- RelatedAsset
- StixEntity
- ExtensionDefinition
- MarkingDefinition
- AutonomousSystem
- File
range: string
description:
name: description
description: Human-readable description.
from_schema: https://w3id.org/lmodel/attack
close_mappings:
- unified_cyber_ontology:description
rank: 1000
alias: description
owner: NetworkTraffic
domain_of:
- RelatedAsset
- MutableElement
- StixEntity
- ExtensionDefinition
- ExternalReference
range: string