TLS fields
editTLS fields
editTLS-specific event fields.
-
tls.handshake_completed
-
type: boolean
Whether the TLS negotiation has been successful and the session has transitioned to encrypted mode.
-
tls.resumed
-
type: boolean
If the TLS session has been resumed from a previous session.
-
tls.resumption_method
-
type: keyword
If the session has been resumed, the underlying method used. One of "id" for TLS session ID or "ticket" for TLS ticket extension.
-
tls.client_certificate_requested
-
type: boolean
Whether the server has requested the client to authenticate itself using a client certificate.
-
tls.client_hello.version
-
type: keyword
The version of the TLS protocol by which the client wishes to communicate during this session.
-
tls.client_hello.supported_ciphers
-
type: array
List of ciphers the client is willing to use for this session. See https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4
-
tls.client_hello.supported_compression_methods
-
type: array
The list of compression methods the client supports. See https://www.iana.org/assignments/comp-meth-ids/comp-meth-ids.xhtml
extensions fields
editThe hello extensions provided by the client.
-
tls.client_hello.extensions.server_name_indication
-
type: keyword
List of hostnames
-
tls.client_hello.extensions.application_layer_protocol_negotiation
-
type: keyword
List of application-layer protocols the client is willing to use.
-
tls.client_hello.extensions.session_ticket
-
type: keyword
Length of the session ticket, if provided, or an empty string to advertise support for tickets.
-
tls.server_hello.version
-
type: keyword
The version of the TLS protocol that is used for this session. It is the highest version supported by the server not exceeding the version requested in the client hello.
-
tls.server_hello.selected_cipher
-
type: keyword
The cipher suite selected by the server from the list provided by in the client hello.
-
tls.server_hello.selected_compression_method
-
type: keyword
The compression method selected by the server from the list provided in the client hello.
extensions fields
editThe hello extensions provided by the server.
-
tls.server_hello.extensions.application_layer_protocol_negotiation
-
type: array
Negotiated application layer protocol
-
tls.server_hello.extensions.session_ticket
-
type: keyword
Used to announce that a session ticket will be provided by the server. Always an empty string.
client_certificate fields
editCertificate provided by the client for authentication.
-
tls.client_certificate.version
-
type: long
X509 format version.
-
tls.client_certificate.serial_number
-
type: keyword
The certificate’s serial number.
-
tls.client_certificate.not_before
-
type: date
Date before which the certificate is not valid.
-
tls.client_certificate.not_after
-
type: date
Date after which the certificate expires.
-
tls.client_certificate.public_key_algorithm
-
type: keyword
The algorithm used for this certificate’s public key. One of RSA, DSA or ECDSA.
-
tls.client_certificate.public_key_size
-
type: long
Size of the public key.
-
tls.client_certificate.signature_algorithm
-
type: keyword
The algorithm used for the certificate’s signature.
-
tls.client_certificate.alternative_names
-
type: array
Subject Alternative Names for this certificate.
-
tls.client_certificate.raw
-
type: keyword
The raw certificate in PEM format.
subject fields
editSubject represented by this certificate.
-
tls.client_certificate.subject.country
-
type: keyword
Country code.
-
tls.client_certificate.subject.organization
-
type: keyword
Organization name.
-
tls.client_certificate.subject.organizational_unit
-
type: keyword
Unit within organization.
-
tls.client_certificate.subject.province
-
type: keyword
Province or region within country.
-
tls.client_certificate.subject.common_name
-
type: keyword
Name or host name identified by the certificate.
issuer fields
editEntity that issued and signed this certificate.
-
tls.client_certificate.issuer.country
-
type: keyword
Country code.
-
tls.client_certificate.issuer.organization
-
type: keyword
Organization name.
-
tls.client_certificate.issuer.organizational_unit
-
type: keyword
Unit within organization.
-
tls.client_certificate.issuer.province
-
type: keyword
Province or region within country.
-
tls.client_certificate.issuer.common_name
-
type: keyword
Name or host name identified by the certificate.
server_certificate fields
editCertificate provided by the server for authentication.
-
tls.server_certificate.version
-
type: long
X509 format version.
-
tls.server_certificate.serial_number
-
type: keyword
The certificate’s serial number.
-
tls.server_certificate.not_before
-
type: date
Date before which the certificate is not valid.
-
tls.server_certificate.not_after
-
type: date
Date after which the certificate expires.
-
tls.server_certificate.public_key_algorithm
-
type: keyword
The algorithm used for this certificate’s public key. One of RSA, DSA or ECDSA.
-
tls.server_certificate.public_key_size
-
type: long
Size of the public key.
-
tls.server_certificate.signature_algorithm
-
type: keyword
The algorithm used for the certificate’s signature.
-
tls.server_certificate.alternative_names
-
type: array
Subject Alternative Names for this certificate.
-
tls.server_certificate.raw
-
type: keyword
The raw certificate in PEM format.
subject fields
editSubject represented by this certificate.
-
tls.server_certificate.subject.country
-
type: keyword
Country code.
-
tls.server_certificate.subject.organization
-
type: keyword
Organization name.
-
tls.server_certificate.subject.organizational_unit
-
type: keyword
Unit within organization.
-
tls.server_certificate.subject.province
-
type: keyword
Province or region within country.
-
tls.server_certificate.subject.common_name
-
type: keyword
Name or host name identified by the certificate.
issuer fields
editEntity that issued and signed this certificate.
-
tls.server_certificate.issuer.country
-
type: keyword
Country code.
-
tls.server_certificate.issuer.organization
-
type: keyword
Organization name.
-
tls.server_certificate.issuer.organizational_unit
-
type: keyword
Unit within organization.
-
tls.server_certificate.issuer.province
-
type: keyword
Province or region within country.
-
tls.server_certificate.issuer.common_name
-
type: keyword
Name or host name identified by the certificate.
-
tls.server_certificate_chain
-
type: array
Chain of trust for the server certificate.
-
tls.client_certificate_chain
-
type: array
Chain of trust for the client certificate.
-
tls.alert_types
-
type: keyword
An array containing the TLS alert type for every alert received.
fingerprints fields
editFingerprints for this TLS session.
ja3 fields
editJA3 TLS client fingerprint
-
tls.fingerprints.ja3.hash
-
type: keyword
The JA3 fingerprint hash for the client side.
-
tls.fingerprints.ja3.str
-
type: keyword
The JA3 string used to calculate the hash.