Skip to content

Class: NetworkConnectionInfo

The Network Connection Information object describes characteristics of an OSI

Transport Layer communication, including TCP and UDP.

URI: ocsf:NetworkConnectionInfo

 classDiagram
    class NetworkConnectionInfo
    click NetworkConnectionInfo href "../NetworkConnectionInfo/"
      Object <|-- NetworkConnectionInfo
        click Object href "../Object/"

      NetworkConnectionInfo : boundary

      NetworkConnectionInfo : boundary_id





        NetworkConnectionInfo --> "0..1 _recommended_" BoundaryIdEnum : boundary_id
        click BoundaryIdEnum href "../BoundaryIdEnum/"



      NetworkConnectionInfo : community_uid

      NetworkConnectionInfo : direction

      NetworkConnectionInfo : direction_id





        NetworkConnectionInfo --> "1" DirectionIdEnum : direction_id
        click DirectionIdEnum href "../DirectionIdEnum/"



      NetworkConnectionInfo : flag_history

      NetworkConnectionInfo : protocol_name

      NetworkConnectionInfo : protocol_num

      NetworkConnectionInfo : protocol_ver

      NetworkConnectionInfo : protocol_ver_id





        NetworkConnectionInfo --> "0..1 _recommended_" NetworkConnectionInfoProtocolVerIdEnum : protocol_ver_id
        click NetworkConnectionInfoProtocolVerIdEnum href "../NetworkConnectionInfoProtocolVerIdEnum/"



      NetworkConnectionInfo : session





        NetworkConnectionInfo --> "0..1" Session : session
        click Session href "../Session/"



      NetworkConnectionInfo : tcp_flags

      NetworkConnectionInfo : uid

Inheritance

Slots

Name Cardinality and Range Description Inheritance
boundary 0..1
String		 The boundary of the connection, normalized to the caption of 'boundary_id' direct
boundary_id 0..1 recommended
BoundaryIdEnum

The normalized identifier of the boundary of the connection

 direct
community_uid 0..1
String		 The Community ID of the network connection direct
direction 0..1
String		 The direction of the initiated connection, traffic, or email, normalized to t... direct
direction_id 1
DirectionIdEnum		 The normalized identifier of the direction of the initiated connection, direct
flag_history 0..1
String		 The Connection Flag History summarizes events in a network connection direct
protocol_name 0..1 recommended
String		 The IP protocol name in lowercase, as defined by the Internet Assigned Number... direct
protocol_num 0..1 recommended
Integer		 The IP protocol number, as defined by the Internet Assigned Numbers Authority direct
protocol_ver 0..1
String		 The Internet Protocol version direct
protocol_ver_id 0..1 recommended
NetworkConnectionInfoProtocolVerIdEnum		 The Internet Protocol version identifier direct
session 0..1
Session		 The authenticated user or service session direct
tcp_flags 0..1
Integer		 The network connection TCP header flags (i direct
uid 0..1 recommended
String		 The unique identifier of the connection direct

Usages

used by used in type used
QueryEvidence connection_info range NetworkConnectionInfo
Evidences connection_info range NetworkConnectionInfo
NetworkProxyProfile proxy_connection_info range NetworkConnectionInfo
FileHosting connection_info range NetworkConnectionInfo
WebResourceAccessActivity proxy_connection_info range NetworkConnectionInfo
WebResourcesActivity proxy_connection_info range NetworkConnectionInfo
NetworkConnectionQuery connection_info range NetworkConnectionInfo
NetworkEvent connection_info range NetworkConnectionInfo
NetworkEvent proxy_connection_info range NetworkConnectionInfo
DhcpActivity connection_info range NetworkConnectionInfo
DhcpActivity proxy_connection_info range NetworkConnectionInfo
DnsActivity connection_info range NetworkConnectionInfo
DnsActivity proxy_connection_info range NetworkConnectionInfo
FtpActivity connection_info range NetworkConnectionInfo
FtpActivity proxy_connection_info range NetworkConnectionInfo
HttpActivity connection_info range NetworkConnectionInfo
HttpActivity proxy_connection_info range NetworkConnectionInfo
NetworkActivity connection_info range NetworkConnectionInfo
NetworkActivity proxy_connection_info range NetworkConnectionInfo
NetworkFileActivity connection_info range NetworkConnectionInfo
NetworkFileActivity proxy_connection_info range NetworkConnectionInfo
NtpActivity connection_info range NetworkConnectionInfo
NtpActivity proxy_connection_info range NetworkConnectionInfo
RdpActivity connection_info range NetworkConnectionInfo
RdpActivity proxy_connection_info range NetworkConnectionInfo
SmbActivity connection_info range NetworkConnectionInfo
SmbActivity proxy_connection_info range NetworkConnectionInfo
SshActivity connection_info range NetworkConnectionInfo
SshActivity proxy_connection_info range NetworkConnectionInfo
TunnelActivity connection_info range NetworkConnectionInfo
TunnelActivity proxy_connection_info range NetworkConnectionInfo
NetworkRemediationActivity connection_info range NetworkConnectionInfo
UnmannedSystemsEvent connection_info range NetworkConnectionInfo
AirborneBroadcastActivity connection_info range NetworkConnectionInfo
DroneFlightsActivity connection_info range NetworkConnectionInfo
WindowsEvidences connection_info range NetworkConnectionInfo
WindowsQueryEvidence connection_info range NetworkConnectionInfo

In Subsets

Aliases

  • Network Connection Information

See Also

Notes

Identifier and Mapping Information

Schema Source

Mappings

Mapping Type Mapped Value
self ocsf:NetworkConnectionInfo
native ocsf:NetworkConnectionInfo
exact uco_master:NetworkConnection
close stix:NetworkTraffic

LinkML Source

Direct

name: NetworkConnectionInfo
description: 'The Network Connection Information object describes characteristics
  of an OSI

  Transport Layer communication, including TCP and UDP.'
notes:
- 'D3FEND™ Ontology d3f:NetworkSession 

  https://d3fend.mitre.org/dao/artifact/d3f:NetworkSession/'
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://d3fend.mitre.org/dao/artifact/d3f:NetworkSession/
aliases:
- Network Connection Information
exact_mappings:
- uco_master:NetworkConnection
close_mappings:
- stix:NetworkTraffic
is_a: Object
slots:
- boundary
- boundary_id
- community_uid
- direction
- direction_id
- flag_history
- protocol_name
- protocol_num
- protocol_ver
- protocol_ver_id
- session
- tcp_flags
- uid
slot_usage:
  boundary_id:
    name: boundary_id
    recommended: true
  direction_id:
    name: direction_id
    required: true
  protocol_name:
    name: protocol_name
    description: 'The IP protocol name in lowercase, as defined by the Internet Assigned
      Numbers

      Authority (IANA). For example: <code>tcp</code> or <code>udp</code>.'
    recommended: true
  protocol_num:
    name: protocol_num
    recommended: true
  protocol_ver:
    name: protocol_ver
    description: The Internet Protocol version.
  protocol_ver_id:
    name: protocol_ver_id
    description: The Internet Protocol version identifier.
    range: NetworkConnectionInfoProtocolVerIdEnum
    recommended: true
  uid:
    name: uid
    description: The unique identifier of the connection.
    recommended: true

Induced

name: NetworkConnectionInfo
description: 'The Network Connection Information object describes characteristics
  of an OSI

  Transport Layer communication, including TCP and UDP.'
notes:
- 'D3FEND™ Ontology d3f:NetworkSession 

  https://d3fend.mitre.org/dao/artifact/d3f:NetworkSession/'
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://d3fend.mitre.org/dao/artifact/d3f:NetworkSession/
aliases:
- Network Connection Information
exact_mappings:
- uco_master:NetworkConnection
close_mappings:
- stix:NetworkTraffic
is_a: Object
slot_usage:
  boundary_id:
    name: boundary_id
    recommended: true
  direction_id:
    name: direction_id
    required: true
  protocol_name:
    name: protocol_name
    description: 'The IP protocol name in lowercase, as defined by the Internet Assigned
      Numbers

      Authority (IANA). For example: <code>tcp</code> or <code>udp</code>.'
    recommended: true
  protocol_num:
    name: protocol_num
    recommended: true
  protocol_ver:
    name: protocol_ver
    description: The Internet Protocol version.
  protocol_ver_id:
    name: protocol_ver_id
    description: The Internet Protocol version identifier.
    range: NetworkConnectionInfoProtocolVerIdEnum
    recommended: true
  uid:
    name: uid
    description: The unique identifier of the connection.
    recommended: true
attributes:
  boundary:
    name: boundary
    description: 'The boundary of the connection, normalized to the caption of ''boundary_id''.
      In

      the case of ''Other'', it is defined by the event source. <p> For cloud

      connections, this translates to the traffic-boundary(same VPC, through IGW,

      etc.). For traditional networks, this is described as Local, Internal, or

      External.</p>'
    from_schema: https://w3id.org/lmodel/ocsf
    aliases:
    - Boundary
    rank: 1000
    alias: boundary
    owner: NetworkConnectionInfo
    domain_of:
    - NetworkConnectionInfo
    range: string
  boundary_id:
    name: boundary_id
    annotations:
      sibling:
        tag: sibling
        value: boundary
    description: '<p>The normalized identifier of the boundary of the connection.
      </p><p> For

      cloud connections, this translates to the traffic-boundary (same VPC, through

      IGW, etc.). For traditional networks, this is described as Local, Internal,
      or

      External.</p>'
    from_schema: https://w3id.org/lmodel/ocsf
    aliases:
    - Boundary ID
    rank: 1000
    alias: boundary_id
    owner: NetworkConnectionInfo
    domain_of:
    - NetworkConnectionInfo
    range: BoundaryIdEnum
    recommended: true
  community_uid:
    name: community_uid
    annotations:
      ocsf_source:
        tag: ocsf_source
        value: community_id
    description: The Community ID of the network connection.
    notes:
    - Community ID definition. — https://github.com/corelight/community-id-spec
    from_schema: https://w3id.org/lmodel/ocsf
    see_also:
    - https://github.com/corelight/community-id-spec
    aliases:
    - Community ID
    rank: 1000
    alias: community_uid
    owner: NetworkConnectionInfo
    domain_of:
    - NetworkConnectionInfo
    range: string
  direction:
    name: direction
    description: 'The direction of the initiated connection, traffic, or email, normalized
      to the

      caption of the direction_id value. In the case of ''Other'', it is defined by
      the

      event source.'
    from_schema: https://w3id.org/lmodel/ocsf
    aliases:
    - Direction
    rank: 1000
    alias: direction
    owner: NetworkConnectionInfo
    domain_of:
    - NetworkConnectionInfo
    - EmailActivity
    range: string
  direction_id:
    name: direction_id
    annotations:
      sibling:
        tag: sibling
        value: direction
    description: 'The normalized identifier of the direction of the initiated connection,

      traffic, or email.'
    from_schema: https://w3id.org/lmodel/ocsf
    aliases:
    - Direction ID
    rank: 1000
    alias: direction_id
    owner: NetworkConnectionInfo
    domain_of:
    - NetworkConnectionInfo
    - EmailActivity
    range: DirectionIdEnum
    required: true
  flag_history:
    name: flag_history
    description: 'The Connection Flag History summarizes events in a network connection.
      For

      example flags <code> ShAD </code> representing SYN, SYN/ACK, ACK and Data

      exchange.'
    notes:
    - 'Zeek History 

      https://docs.zeek.org/en/master/scripts/base/protocols/conn/main.zeek.html#detailed-interface:~:text=Records%20the%20state%20history%20of%20connections%20as%20a%20string%20of%20letters.%20The%20meaning%20of%20those%20letters%20is'
    from_schema: https://w3id.org/lmodel/ocsf
    see_also:
    - https://docs.zeek.org/en/master/scripts/base/protocols/conn/main.zeek.html#detailed-interface:~:text=Records%20the%20state%20history%20of%20connections%20as%20a%20string%20of%20letters.%20The%20meaning%20of%20those%20letters%20is
    aliases:
    - Connection Flag History
    rank: 1000
    alias: flag_history
    owner: NetworkConnectionInfo
    domain_of:
    - NetworkConnectionInfo
    range: string
  protocol_name:
    name: protocol_name
    description: 'The IP protocol name in lowercase, as defined by the Internet Assigned
      Numbers

      Authority (IANA). For example: <code>tcp</code> or <code>udp</code>.'
    from_schema: https://w3id.org/lmodel/ocsf
    aliases:
    - Protocol Name
    rank: 1000
    alias: protocol_name
    owner: NetworkConnectionInfo
    domain_of:
    - PortInfo
    - Scim
    - Sso
    - Idp
    - NetworkConnectionInfo
    - EmailActivity
    - TunnelActivity
    - AirborneBroadcastActivity
    - DroneFlightsActivity
    range: string
    recommended: true
  protocol_num:
    name: protocol_num
    description: 'The IP protocol number, as defined by the Internet Assigned Numbers
      Authority

      (IANA). For example: <code>6</code> for TCP and <code>17</code> for UDP.'
    notes:
    - 'IANA Protocol Numbers 

      https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml'
    from_schema: https://w3id.org/lmodel/ocsf
    see_also:
    - https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml
    aliases:
    - Protocol Number
    rank: 1000
    alias: protocol_num
    owner: NetworkConnectionInfo
    domain_of:
    - PortInfo
    - NetworkConnectionInfo
    range: integer
    recommended: true
  protocol_ver:
    name: protocol_ver
    description: The Internet Protocol version.
    from_schema: https://w3id.org/lmodel/ocsf
    aliases:
    - Protocol Version
    rank: 1000
    alias: protocol_ver
    owner: NetworkConnectionInfo
    domain_of:
    - NetworkConnectionInfo
    - RdpActivity
    - SshActivity
    range: string
  protocol_ver_id:
    name: protocol_ver_id
    annotations:
      sibling:
        tag: sibling
        value: protocol_ver
    description: The Internet Protocol version identifier.
    from_schema: https://w3id.org/lmodel/ocsf
    aliases:
    - Protocol Version ID
    rank: 1000
    alias: protocol_ver_id
    owner: NetworkConnectionInfo
    domain_of:
    - NetworkConnectionInfo
    range: NetworkConnectionInfoProtocolVerIdEnum
    recommended: true
  session:
    name: session
    description: The authenticated user or service session.
    from_schema: https://w3id.org/lmodel/ocsf
    aliases:
    - Session
    rank: 1000
    alias: session
    owner: NetworkConnectionInfo
    domain_of:
    - QueryEvidence
    - Actor
    - NetworkConnectionInfo
    - Process
    - SessionQuery
    - Authentication
    - AuthorizeSession
    - TunnelActivity
    range: Session
  tcp_flags:
    name: tcp_flags
    description: The network connection TCP header flags (i.e., control bits).
    from_schema: https://w3id.org/lmodel/ocsf
    aliases:
    - TCP Flags
    rank: 1000
    alias: tcp_flags
    owner: NetworkConnectionInfo
    domain_of:
    - NetworkConnectionInfo
    range: integer
  uid:
    name: uid
    description: The unique identifier of the connection.
    from_schema: https://w3id.org/lmodel/ocsf
    aliases:
    - Unique ID
    rank: 1000
    alias: uid
    owner: NetworkConnectionInfo
    domain_of:
    - Osint
    - Package
    - ProgrammaticCredential
    - RelatedEvent
    - Request
    - Sbom
    - Scim
    - Script
    - Session
    - Span
    - Sso
    - Ticket
    - Token
    - Trace
    - Entity
    - Resource
    - Account
    - Advisory
    - Agent
    - AiModel
    - Aircraft
    - Analytic
    - ApplicationObject
    - Assessment
    - Certificate
    - Check
    - ClassifierDetails
    - Container
    - Cve
    - Cwe
    - D3fTactic
    - D3fTechnique
    - DataClassification
    - Database
    - Databucket
    - DomainContact
    - Edge
    - Email
    - Endpoint
    - Evidences
    - Extension
    - Feature
    - File
    - FindingObject
    - FindingInfo
    - Graph
    - Group
    - HttpRequest
    - Idp
    - Image
    - KbArticle
    - LoadBalancer
    - Logger
    - Malware
    - ManagedEntity
    - MessageContext
    - Metadata
    - Mitigation
    - NetworkConnectionInfo
    - NetworkEndpoint
    - NetworkInterface
    - Node
    - Organization
    - PeripheralDevice
    - Policy
    - ProcessEntity
    - Product
    - QueryInfo
    - Reporter
    - Rule
    - Scan
    - Service
    - SubTechnique
    - Table
    - Tactic
    - Technique
    - Trait
    - TransformationInfo
    - UnmannedAerialSystem
    - User
    - WebResource
    - Device
    - WinResource
    range: string
    recommended: true