CommunityID
Generate Community ID flow hashes to correlate network events across firewalls, IDS, and monitoring tools.
less than a minute
Overview
The CommunityID converter generates a Community ID network flow hash, a standardized identifier for correlating network events across different monitoring tools. The output is a base64-encoded string prefixed with 1:.
Syntax
CommunityID(sourceIP, sourcePort, destinationIP, destinationPort, Optional[protocol], Optional[seed])
- sourceIP: the source IP address (IPv4 or IPv6)
- sourcePort: the source port number (0–65535)
- destinationIP: the destination IP address (IPv4 or IPv6)
- destinationPort: the destination port number (0–65535)
- protocol (optional): one of
TCP,UDP,ICMP,ICMP6,SCTP, orRSVP. Defaults toTCP - seed (optional): hash seed value (0–65535). Defaults to
0
Note: When reading port values from a JSON body field, wrap them with
Int()because JSON numbers are parsed as float64.
Examples
Input
{
"_type": "log",
"body": {
"src_ip": "192.168.1.100",
"src_port": 54321,
"dst_ip": "10.0.0.50",
"dst_port": 443,
"protocol": 6
},
"resource": {...},
"attributes": {}
}
Statement
set(attributes["flow_id"], CommunityID(body["src_ip"], Int(body["src_port"]), body["dst_ip"], Int(body["dst_port"]), "TCP"))
Output
{
"_type": "log",
"body": {
"src_ip": "192.168.1.100",
"src_port": 54321,
"dst_ip": "10.0.0.50",
"dst_port": 443,
"protocol": 6
},
"resource": {...},
"attributes": {
"flow_id": "1:Tc8oreo6Mh2A7FPNfJunXrIbrvw="
}
}
The function generated a Community ID hash for the TCP connection from 192.168.1.100:54321 to 10.0.0.50:443. This hash is deterministic — the same five-tuple always produces the same Community ID, enabling correlation across tools.