TLS Fields
editTLS Fields
editFields related to a TLS connection. These fields focus on the TLS protocol itself and intentionally avoids in-depth analysis of the related x.509 certificate files.
TLS Field Details
edit| Field | Description | Level |
|---|---|---|
tls.cipher |
String indicating the cipher used during the current connection. type: keyword example: |
extended |
tls.client.certificate |
PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of type: keyword example: |
extended |
tls.client.certificate_chain |
Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of type: keyword Note: this field should contain an array of values. example: |
extended |
tls.client.hash.md5 |
Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. type: keyword example: |
extended |
tls.client.hash.sha1 |
Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. type: keyword example: |
extended |
tls.client.hash.sha256 |
Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. type: keyword example: |
extended |
tls.client.issuer |
Distinguished name of subject of the issuer of the x.509 certificate presented by the client. type: keyword example: |
extended |
tls.client.ja3 |
A hash that identifies clients based on how they perform an SSL/TLS handshake. type: keyword example: |
extended |
tls.client.not_after |
Date/Time indicating when client certificate is no longer considered valid. type: date example: |
extended |
tls.client.not_before |
Date/Time indicating when client certificate is first considered valid. type: date example: |
extended |
tls.client.server_name |
Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to type: keyword example: |
extended |
tls.client.subject |
Distinguished name of subject of the x.509 certificate presented by the client. type: keyword example: |
extended |
tls.client.supported_ciphers |
Array of ciphers offered by the client during the client hello. type: keyword Note: this field should contain an array of values. example: |
extended |
tls.curve |
String indicating the curve used for the given cipher, when applicable. type: keyword example: |
extended |
tls.established |
Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. type: boolean |
extended |
tls.next_protocol |
String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. type: keyword example: |
extended |
tls.resumed |
Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. type: boolean |
extended |
tls.server.certificate |
PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of type: keyword example: |
extended |
tls.server.certificate_chain |
Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of type: keyword Note: this field should contain an array of values. example: |
extended |
tls.server.hash.md5 |
Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. type: keyword example: |
extended |
tls.server.hash.sha1 |
Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. type: keyword example: |
extended |
tls.server.hash.sha256 |
Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. type: keyword example: |
extended |
tls.server.issuer |
Subject of the issuer of the x.509 certificate presented by the server. type: keyword example: |
extended |
tls.server.ja3s |
A hash that identifies servers based on how they perform an SSL/TLS handshake. type: keyword example: |
extended |
tls.server.not_after |
Timestamp indicating when server certificate is no longer considered valid. type: date example: |
extended |
tls.server.not_before |
Timestamp indicating when server certificate is first considered valid. type: date example: |
extended |
tls.server.subject |
Subject of the x.509 certificate presented by the server. type: keyword example: |
extended |
tls.version |
Numeric part of the version parsed from the original string. type: keyword example: |
extended |
tls.version_protocol |
Normalized lowercase protocol name parsed from original string. type: keyword example: |
extended |
Field Reuse
editField sets that can be nested under TLS
edit| Nested fields | Description |
|---|---|
These fields contain x509 certificate metadata. |
|
These fields contain x509 certificate metadata. |