Event ID 3: Network connection
Contents
Event ID 3: Network connection¶
Version: 4.81¶
Description¶
The network connection event logs TCP/UDP connections on the machine. It is disabled by default. Each connection is linked to a process through the ProcessId and ProcessGUID fields. The event also contains the source and destination host names IP addresses, port numbers and IPv6 status.
Data Dictionary¶
Field Name |
Type |
Description |
Sample Value |
|---|---|---|---|
RuleName |
string |
custom tag mapped to event. i.e ATT&CK technique ID |
|
UtcTime |
date |
Time in UTC when event was created |
|
ProcessGuid |
string |
Process Guid of the process that made the network connection |
|
ProcessId |
integer |
Process ID used by the os to identify the process that made the network connection |
|
Image |
string |
File path of the process that made the network connection |
|
User |
string |
Name of the account who made the network connection. It usually containes domain name and user name |
|
Protocol |
string |
Protocol being used for the network connection |
|
Initiated |
boolean |
Indicated process initiated tcp connection |
|
SourceIsIpv6 |
boolean |
is the source ip an Ipv6 |
|
SourceIp |
ip |
source ip address that made the network connection |
|
SourceHostname |
string |
name of the host that made the network connection |
`` |
SourcePort |
integer |
source port number |
|
SourcePortName |
string |
name of the source port being used |
`` |
DestinationIsIpv6 |
boolean |
is the destination ip an Ipv6 |
|
DestinationIp |
ip |
ip address destination |
|
DestinationHostname |
string |
name of the host that received the network connection |
`` |
DestinationPort |
integer |
destination port number |
|
DestinationPortName |
string |
name of the destination port |
`` |