TLS Fields
editTLS Fields
editFields related to a TLS connection. These fields focus on the TLS protocol itself and intentionally avoids in-depth analysis of the related x.509 certificate files.
TLS Field Details
edit| Field | Description | Level |
|---|---|---|
|
String indicating the cipher used during the current connection. type: keyword example: |
extended |
|
|
PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of type: keyword example: |
extended |
|
|
Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of type: keyword Note: this field should contain an array of values. example: |
extended |
|
|
Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. type: keyword example: |
extended |
|
|
Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. type: keyword example: |
extended |
|
|
Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. type: keyword example: |
extended |
|
|
Distinguished name of subject of the issuer of the x.509 certificate presented by the client. type: keyword example: |
extended |
|
|
A hash that identifies clients based on how they perform an SSL/TLS handshake. type: keyword example: |
extended |
|
|
Date/Time indicating when client certificate is no longer considered valid. type: date example: |
extended |
|
|
Date/Time indicating when client certificate is first considered valid. type: date example: |
extended |
|
|
Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to type: keyword example: |
extended |
|
|
Distinguished name of subject of the x.509 certificate presented by the client. type: keyword example: |
extended |
|
|
Array of ciphers offered by the client during the client hello. type: keyword Note: this field should contain an array of values. example: |
extended |
|
|
String indicating the curve used for the given cipher, when applicable. type: keyword example: |
extended |
|
|
Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. type: boolean |
extended |
|
|
String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. type: keyword example: |
extended |
|
|
Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. type: boolean |
extended |
|
|
PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of type: keyword example: |
extended |
|
|
Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of type: keyword Note: this field should contain an array of values. example: |
extended |
|
|
Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. type: keyword example: |
extended |
|
|
Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. type: keyword example: |
extended |
|
|
Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. type: keyword example: |
extended |
|
|
Subject of the issuer of the x.509 certificate presented by the server. type: keyword example: |
extended |
|
|
A hash that identifies servers based on how they perform an SSL/TLS handshake. type: keyword example: |
extended |
|
|
Timestamp indicating when server certificate is no longer considered valid. type: date example: |
extended |
|
|
Timestamp indicating when server certificate is first considered valid. type: date example: |
extended |
|
|
Subject of the x.509 certificate presented by the server. type: keyword example: |
extended |
|
|
Numeric part of the version parsed from the original string. type: keyword example: |
extended |
|
|
Normalized lowercase protocol name parsed from original string. type: keyword example: |
extended |