Skip to main content

Community ID

Mutate Elastic Compatible

Synopsis

Computes the Community ID for network flow data, as defined in the Community ID Specification.

Schema

community_id:
  - description: <text>
  - destination_ip: <string>
  - destination_port: <string>
  - iana_number: <numeric>
  - icmp_code: <numeric>
  - icmp_type: <enum>
  - if: <script>
  - ignore_missing: <boolean>
  - ignore_failure: <boolean>
  - on_failure: <processor[]>
  - on_success: <processor[]>
  - source_ip: <string>
  - source_port: <numeric>
  - seed: <numeric>
  - tag: <string>
  - target_field: <ident>
  - transport: <enum>

Configuration

FieldRequiredDefaultDescription
descriptionN-Explanatory text
destination_ipNdestination.ipField containing the destination IP
destination_portNdestionation.portField containing the destination port
iana_numberNnetwork.iana_numberField containing the IANA number
icmp_codeNicmp.codeField containing the ICMP code
icmp_typeNicmp.typeField containing the ICMP
ifN-Condition to run
ignore_missingNtrueIf true and field does not exist, exit quietly without making any modifications
ignore_failureNfalseSee Handling Failures
on_failureNfalseSee Handling Failures
on_successN-See Handling Success
source_ipNsource.ipField containing the source IP
source_portNsource.portField containing the source port
seedN0Seed for the hash to be generated for the ID. Must be in the 0..65535 range. Can prevent hash collisions between network domains that use the same scheme
tagN-Identifier
target_fieldNnetwork.community_idField for the output
transportNnetwork.transportField containing the transport protocol name or number. Used only when iana_number is not defined. Valid options: EIGRP, GRE, ICMP, ICMP IPv6, IGMP, OSPF, PIM, SCTP, TCP, and UDP

Details

Use to correlate network events related to a single flow. By default, reads network flow data from related ECS.

Examples

We have incoming and outgoing ip addresses and a port number:

{
  "source": {
    "ip": "<ip-address-1>",
    "port": "<port-number-1>"
  },
  "destination": {
    "ip": "<ip-address-2>",
    "port": "<port-number-2>"
  },
  "network": {
    "transport": "TCP"
  }
}

We want to figure out the user's community_id...

- community_id:
  field: source.ip
  target_field: network.community_id

which is a base64 hash value:

{
  "source": {
    "ip": "<ip-address-1>",
    "port": "<port-number-1>"
  },
  "destination": {
    "ip": "<ip-address-2>",
    "port": "<port-number-2>"
  },
  "network": {
    "community_id": "<base64-hash>",
    "transport": "TCP"
  }
}