Network Proxy Endpoint

The network proxy endpoint object describes a proxy server, which acts as an intermediary between a client requesting a resource and the server providing that resource.

• Extends: network_endpoint

Attributes

container

• Type: container
• Requirement: recommended

The information describing an instance of a container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd.

hostname

• Type: hostname_t
• Requirement: recommended

The fully qualified name of the endpoint.

instance_uid

• Type: string_t
• Requirement: recommended

The unique identifier of a VM instance.

interface_name

• Type: string_t
• Requirement: recommended

The name of the network interface (e.g. eth2).

interface_uid

• Type: string_t
• Requirement: recommended

The unique identifier of the network interface.

ip

• Type: ip_t
• Requirement: recommended

The IP address of the endpoint, in either IPv4 or IPv6 format.

name

• Type: string_t
• Requirement: recommended

The short name of the endpoint.

namespace_pid

• Type: integer_t
• Requirement: recommended

If running under a process namespace (such as in a container), the process identifier within that process namespace.

owner

• Type: user
• Requirement: recommended

The identity of the service or user account that owns the endpoint or was last logged into it.

port

• Type: port_t
• Requirement: recommended

The port used for communication within the network connection.

svc_name

• Type: string_t
• Requirement: recommended

The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service.

type_id

• Type: integer_t
• Requirement: recommended
• Values:
  • 0 - Unknown: The type is unknown.
  • 1 - Server: A server.
  • 2 - Desktop: A desktop computer.
  • 3 - Laptop: A laptop computer.
  • 4 - Tablet: A tablet computer.
  • 5 - Mobile: A mobile phone.
  • 6 - Virtual: A virtual machine.
  • 7 - IOT: An IOT (Internet of Things) device.
  • 8 - Browser: A web browser.
  • 9 - Firewall: A networking firewall.
  • 10 - Switch: A networking switch.
  • 11 - Hub: A networking hub.
  • 12 - Router: A networking router.
  • 13 - IDS: An intrusion detection system.
  • 14 - IPS: An intrusion prevention system.
  • 15 - Load Balancer: A Load Balancer device.
  • 99 - Other: The type is not mapped. See the type attribute, which contains a data source specific value.

The network endpoint type ID.

uid

• Type: string_t
• Requirement: recommended

The unique identifier of the endpoint.

agent_list

• Type: agent
• Requirement: optional

A list of agent objects associated with a device, endpoint, or resource.

autonomous_system

• Type: autonomous_system
• Requirement: optional

The Autonomous System details associated with an IP address.

domain

• Type: string_t
• Requirement: optional

The name of the domain that the endpoint belongs to or that corresponds to the endpoint.

hw_info

• Type: device_hw_info
• Requirement: optional

The endpoint hardware information.

intermediate_ips

• Type: ip_t
• Requirement: optional

The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header.

isp

• Type: string_t
• Requirement: optional

The name of the Internet Service Provider (ISP).

isp_org

• Type: string_t
• Requirement: optional

The organization name of the Internet Service Provider (ISP). This represents the parent organization or company that owns/operates the ISP. For example, Comcast Corporation would be the ISP org for Xfinity internet service. This attribute helps identify the ultimate provider when ISPs operate under different brand names.

location

• Type: location
• Requirement: optional

The geographical location of the endpoint.

mac

• Type: mac_t
• Requirement: optional

The Media Access Control (MAC) address of the endpoint.

os

• Type: os
• Requirement: optional

The endpoint operating system.

proxy_endpoint

• Type: network_proxy
• Requirement: optional

The network proxy information pertaining to a specific endpoint. This can be used to describe information pertaining to network address translation (NAT).

subnet_uid

• Type: string_t
• Requirement: optional

The unique identifier of a virtual subnet.

type

• Type: string_t
• Requirement: optional

The network endpoint type. For example: unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other.

vlan_uid

• Type: string_t
• Requirement: optional

The Virtual LAN identifier.

vpc_uid

• Type: string_t
• Requirement: optional

The unique identifier of the Virtual Private Cloud (VPC).

zone

• Type: string_t
• Requirement: optional

The network zone or LAN segment.

Constraints

At least one of: ip, uid, name, hostname, svc_name, instance_uid, interface_uid, interface_name, domain

Used By

• airborne_broadcast_activity
• dhcp_activity
• dns_activity
• drone_flights_activity
• ftp_activity
• http_activity
• network_activity
• network_file_activity
• ntp_activity
• rdp_activity
• smb_activity
• ssh_activity
• tunnel_activity
• web_resource_access_activity
• web_resources_activity