x509 Certificate Fields
editx509 Certificate Fields
editThis implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk. When only a single certificate is logged in an event, it should be nested under file
. When hashes of the DER-encoded certificate are available, the hash
data set should be populated as well (e.g. file.hash.sha256
). For events that contain certificate information for both sides of the connection, the x509 object could be nested under the respective side of the connection information (e.g. tls.server.x509
).
x509 Certificate Field Details
editField | Description | Level |
---|---|---|
x509.alternative_names |
List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. type: keyword Note: this field should contain an array of values. example: |
extended |
x509.issuer.common_name |
List of common name (CN) of issuing certificate authority. type: keyword Note: this field should contain an array of values. example: |
extended |
x509.issuer.country |
List of country © codes type: keyword Note: this field should contain an array of values. example: |
extended |
x509.issuer.distinguished_name |
Distinguished name (DN) of issuing certificate authority. type: keyword example: |
extended |
x509.issuer.locality |
List of locality names (L) type: keyword Note: this field should contain an array of values. example: |
extended |
x509.issuer.organization |
List of organizations (O) of issuing certificate authority. type: keyword Note: this field should contain an array of values. example: |
extended |
x509.issuer.organizational_unit |
List of organizational units (OU) of issuing certificate authority. type: keyword Note: this field should contain an array of values. example: |
extended |
x509.issuer.state_or_province |
List of state or province names (ST, S, or P) type: keyword Note: this field should contain an array of values. example: |
extended |
x509.not_after |
Time at which the certificate is no longer considered valid. type: date example: |
extended |
x509.not_before |
Time at which the certificate is first considered valid. type: date example: |
extended |
x509.public_key_algorithm |
Algorithm used to generate the public key. type: keyword example: |
extended |
x509.public_key_curve |
The curve used by the elliptic curve public key algorithm. This is algorithm specific. type: keyword example: |
extended |
x509.public_key_exponent |
Exponent used to derive the public key. This is algorithm specific. type: long example: |
extended |
x509.public_key_size |
The size of the public key space in bits. type: long example: |
extended |
x509.serial_number |
Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. type: keyword example: |
extended |
x509.signature_algorithm |
Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword example: |
extended |
x509.subject.common_name |
List of common names (CN) of subject. type: keyword Note: this field should contain an array of values. example: |
extended |
x509.subject.country |
List of country © code type: keyword Note: this field should contain an array of values. example: |
extended |
x509.subject.distinguished_name |
Distinguished name (DN) of the certificate subject entity. type: keyword example: |
extended |
x509.subject.locality |
List of locality names (L) type: keyword Note: this field should contain an array of values. example: |
extended |
x509.subject.organization |
List of organizations (O) of subject. type: keyword Note: this field should contain an array of values. example: |
extended |
x509.subject.organizational_unit |
List of organizational units (OU) of subject. type: keyword Note: this field should contain an array of values. |
extended |
x509.subject.state_or_province |
List of state or province names (ST, S, or P) type: keyword Note: this field should contain an array of values. example: |
extended |
x509.version_number |
Version of x509 format. type: keyword example: |
extended |
Field Reuse
editThe x509
fields are expected to be nested at: file.x509
, tls.client.x509
, tls.server.x509
.
Note also that the x509
fields are not expected to be used directly at the root of the events.