Skip to main content

Network Events

Overview

AlphaSOC normalizes network telemetry from various sources into the Open Cybersecurity Schema Framework (OCSF) format, enabling you to write consistent Sigma detection rules across different network monitoring tools and platforms. For complete field definitions and semantics, refer to the linked OCSF class schema pages.

Network: DNS

OCSF Category: Network Activity

OCSF Class: DNS Activity

OCSF Fields

  • activity_id
  • activity_name
  • actor.user.name
  • category_name
  • category_uid
  • class_name
  • class_uid
  • device.ip
  • device.mac
  • device.uid
  • metadata.product.name
  • metadata.version
  • query.hostname
  • query.type
  • rcode
  • rcode_id
  • severity
  • severity_id
  • time
  • type_name
  • type_uid

Network: HTTP

OCSF Category: Network Activity

OCSF Class: HTTP Activity

OCSF Fields

  • action
  • action_id
  • activity_id
  • activity_name
  • actor.user.name
  • app_name
  • category_name
  • category_uid
  • class_name
  • class_uid
  • device.ip
  • device.mac
  • device.uid
  • http_request.http_headers.0.name
  • http_request.http_headers.0.value
  • http_request.http_method
  • http_request.referrer
  • http_request.url.url_string
  • http_request.user_agent
  • http_response.code
  • http_response.status
  • metadata.product.name
  • metadata.version
  • severity
  • severity_id
  • status
  • status_id
  • time
  • traffic.bytes
  • traffic.bytes_in
  • traffic.bytes_out
  • type_name
  • type_uid

Network: IP

OCSF Category: Network Activity

OCSF Class: Network Activity

OCSF Fields

  • activity_id
  • activity_name
  • actor.user.name
  • app_name
  • category_name
  • category_uid
  • class_name
  • class_uid
  • connection_info.direction
  • connection_info.direction_id
  • connection_info.protocol_name
  • connection_info.protocol_num
  • device.ip
  • device.mac
  • device.uid
  • dst_endpoint.ip
  • dst_endpoint.port
  • duration
  • metadata.product.name
  • metadata.version
  • severity
  • severity_id
  • time
  • traffic.bytes
  • traffic.bytes_in
  • traffic.bytes_out
  • traffic.packets
  • traffic.packets_in
  • traffic.packets_out
  • type_name
  • type_uid

Network: TLS

OCSF Category: Network Activity

OCSF Class: Network Activity

OCSF Fields

  • activity_id
  • activity_name
  • actor.user.name
  • category_name
  • category_uid
  • class_name
  • class_uid
  • device.ip
  • device.mac
  • device.uid
  • dst_endpoint.ip
  • dst_endpoint.port
  • metadata.product.name
  • metadata.version
  • severity
  • severity_id
  • time
  • tls.certificate.created_time
  • tls.certificate.expiration_time
  • tls.certificate.fingerprints.0.algorithm_id
  • tls.certificate.fingerprints.0.value
  • tls.certificate.issuer
  • tls.certificate.subject
  • tls.ja3_hash.algorithm_id
  • tls.ja3_hash.value
  • tls.ja3s_hash.algorithm_id
  • tls.ja3s_hash.value
  • type_name
  • type_uid

Further Reading