# Event ID 3: Network connection
###### Version: 4.81

## Description
The **network connection** event logs TCP/UDP connections on the machine. It is disabled by default. Each connection is linked to a process through the ProcessId and ProcessGUID fields. The event also contains the source and destination host names IP addresses, port numbers and IPv6 status.

## Data Dictionary
|Field Name|Type|Description|Sample Value|
|---|---|---|---|
|RuleName|string|custom tag mapped to event. i.e ATT&CK technique ID|`T1114`|
|UtcTime|date|Time in UTC when event was created|`2021-10-13T20:06:22.6600000Z`|
|ProcessGuid|string|Process Guid of the process that made the network connection|`{A98268C1-957F-5ACD-0000-0010EB030000}`|
|ProcessId|integer|Process ID used by the os to identify the process that made the network connection|`5079`|
|Image|string|File path of the process that made the network connection|`/usr/sbin/rsyslogd`|
|User|string|Name of the account who made the network connection. It usually containes domain name and user name|`root`|
|Protocol|string|Protocol being used for the network connection|`udp`|
|Initiated|boolean|Indicated process initiated tcp connection|`true`|
|SourceIsIpv6|boolean|is the source ip an Ipv6|`false`|
|SourceIp|ip|source ip address that made the network connection|`127.0.0.1`|
|SourceHostname|string|name of the host that made the network connection|``|
|SourcePort|integer|source port number|`43336`|
|SourcePortName|string|name of the source port being used|``|
|DestinationIsIpv6|boolean|is the destination ip an Ipv6|`false`|
|DestinationIp|ip|ip address destination|`127.0.0.1`|
|DestinationHostname|string|name of the host that received the network connection|``|
|DestinationPort|integer|destination port number|`25224`|
|DestinationPortName|string|name of the destination port|``|