x509 Certificate Fields
editx509 Certificate Fields
editThis implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk.
When the certificate relates to a file, use the fields at file.x509. When hashes of the DER-encoded certificate are available, the hash data set should be populated as well (e.g. file.hash.sha256).
Events that contain certificate information about network connections, should use the x509 fields under the relevant TLS fields: tls.server.x509 and/or tls.client.x509.
x509 Certificate Field Details
edit| Field | Description | Level |
|---|---|---|
|
List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. type: keyword Note: this field should contain an array of values. example: |
extended |
|
|
List of common name (CN) of issuing certificate authority. type: keyword Note: this field should contain an array of values. example: |
extended |
|
|
List of country (C) codes type: keyword Note: this field should contain an array of values. example: |
extended |
|
|
Distinguished name (DN) of issuing certificate authority. type: keyword example: |
extended |
|
|
List of locality names (L) type: keyword Note: this field should contain an array of values. example: |
extended |
|
|
List of organizations (O) of issuing certificate authority. type: keyword Note: this field should contain an array of values. example: |
extended |
|
|
List of organizational units (OU) of issuing certificate authority. type: keyword Note: this field should contain an array of values. example: |
extended |
|
|
List of state or province names (ST, S, or P) type: keyword Note: this field should contain an array of values. example: |
extended |
|
|
Time at which the certificate is no longer considered valid. type: date example: |
extended |
|
|
Time at which the certificate is first considered valid. type: date example: |
extended |
|
|
Algorithm used to generate the public key. type: keyword example: |
extended |
|
|
The curve used by the elliptic curve public key algorithm. This is algorithm specific. type: keyword example: |
extended |
|
|
Exponent used to derive the public key. This is algorithm specific. type: long example: |
extended |
|
|
The size of the public key space in bits. type: long example: |
extended |
|
|
Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. type: keyword example: |
extended |
|
|
Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword example: |
extended |
|
|
List of common names (CN) of subject. type: keyword Note: this field should contain an array of values. example: |
extended |
|
|
List of country (C) code type: keyword Note: this field should contain an array of values. example: |
extended |
|
|
Distinguished name (DN) of the certificate subject entity. type: keyword example: |
extended |
|
|
List of locality names (L) type: keyword Note: this field should contain an array of values. example: |
extended |
|
|
List of organizations (O) of subject. type: keyword Note: this field should contain an array of values. example: |
extended |
|
|
List of organizational units (OU) of subject. type: keyword Note: this field should contain an array of values. |
extended |
|
|
List of state or province names (ST, S, or P) type: keyword Note: this field should contain an array of values. example: |
extended |
|
|
Version of x509 format. type: keyword example: |
extended |
Field Reuse
editThe x509 fields are expected to be nested at:
-
file.x509 -
threat.enrichments.indicator.x509 -
threat.indicator.x509 -
tls.client.x509 -
tls.server.x509
Note also that the x509 fields are not expected to be used directly at the root of the events.