Detailed Network Event Schemas

Network Events Report

Network events downloaded from the Admin Console are exported in CSV format. Each network event is represented as a single line, regardless of the duration or amount of data transferred during the connection. Established connections are only reported once they have been completed.

CSV columns are below:

  • start_time: the beginning of the network communication
  • end_time: the end of the network communication, will be empty if an error occurred
  • user: the email address of the user initiating the communication
  • user_id: a numerical unique ID for the user
  • device_id: a unique identifier for the device used to connect
  • client_ip: the public IPv4 IP of the client initiating the connection
  • connector: the name of the Connector the communication went through
  • connector_id: a numerical unique ID for the Connector
  • resource_ip: the IP of the Resource that the user connected to, will be empty if a DNS error occurred
  • resource_port: the port that is being connected to on the Resource
  • resource_domain: the FQDN of the Resource, will be empty if connection was direct to IP
  • resource_id: a numerical unique ID of the Resource, as defined in Twingate (e.g., if *.twingate.com is the defined Resource, any connections to twingate.com domains will have the same Resource ID
  • protocol: the protocol used for the connection, can be tcp, udp, or icmp
  • status: can be DNS_ERROR if the domain can’t be resolved or CONNECTION_FAILED if a connection could not be established, otherwise will be NORMAL
  • bytes_transferred: cumulative number of bytes transferred during the connection, will be empty if an error occurred
  • bytes_received: cumulative number of bytes received during the connection, will be empty if an error occurred
  • remote_network: the name defined in Twingate of the Remote Network that the Resource belongs to
  • remote_network_id: a numerical unique ID for the Remote Network
  • applied_rule: the name of the Resource that Twingate used to connect, as defined in Twingate (e.g., if *.twingate.com is a Resource and the connection is to foo.twingate.com, this field will be *.twingate.com
  • relays: an identifier for the Relay that the connection flowed through
  • relay_ips: the IP of the Relay that was used
  • relay_ports: the port of the Relay that was used

Network Events Report

Network events synced to AWS S3 buckets are exported in JSON. Each network event is represented as a single line, regardless of the duration or amount of data transferred during the connection. They come in the following format:

{
"event_type": "network",
"event": {
"status":"closed_connection", // Other types: "denied_access", "established_connection", "failed_to_connect",
"connection":{
"client_ip": "192.0.2.0",
"protocol": "tcp",
"bytes_received": 512,
"bytes_transferred": 512,
"error_message": "String message" // Optional: Only visible when the "status" is "denied_access" or "failed_to_connect"
},
"connector":{
"id":"94014",
"name":"nondescript-caterpillar"
},
"device":{
"id":"200903",
},
"relays":[ // If the network event doesn't pass through a relay, this returns an empty list
{
"ip":"35.236.82.204",
"name":"relaybalancer+https:\/\/relays.twingate.com",
"port":30015
},
{
"ip":"34.236.21.109",
"name":"relaybalancer+https:\/\/relays.twingate.com",
"port":30005
}
],
"remote_network":{
"id": "6938",
"name":"AWS Network"
},
"resource":{
"address":"info.microsoft.com",
"applied_rule":"*microsoft*.com",
"id":"2255492",
"ip":"105.27.80.216",
"port":443
},
"service_account": { // Optional: Network events will either have a User or Service Account
"name":
"id":
"key":
"key_id":
}
"time": "2021-08-15T14:30Z", // ISO compliant date-time string, always in UTC
"user":{ // Optional: Network events will either have a User or Service Account
"email": "user@twingate.com",
"id": "113256"
}
}

Last updated 9 months ago