TLS
Fields describing a TLS connection.
Fields
Field Summary
| Field | Type | Level | Description |
|---|---|---|---|
tls.cipher | keyword | Extended | String indicating the cipher used during the current connection. |
tls.client.certificate | keyword | Extended | PEM-encoded stand-alone certificate offered by the client. |
tls.client.certificate_chain | keyword | Extended | Array of PEM-encoded certificates that make up the certificate chain offered by the client. |
tls.client.hash.md5 | keyword | Extended | Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. |
tls.client.hash.sha1 | keyword | Extended | Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. |
tls.client.hash.sha256 | keyword | Extended | Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. |
tls.client.issuer | keyword | Extended | Distinguished name of subject of the issuer of the x.509 certificate presented by the client. |
tls.client.ja3 | keyword | Extended | A hash that identifies clients based on how they perform an SSL/TLS handshake. |
tls.client.not_after | date | Extended | Date/Time indicating when client certificate is no longer considered valid. |
tls.client.not_before | date | Extended | Date/Time indicating when client certificate is first considered valid. |
tls.client.server_name | keyword | Extended | Hostname the client is trying to connect to. Also called the SNI. |
tls.client.subject | keyword | Extended | Distinguished name of subject of the x.509 certificate presented by the client. |
tls.client.supported_ciphers | keyword | Extended | Array of ciphers offered by the client during the client hello. |
tls.client.x509.alternative_names | keyword | Extended | List of subject alternative names (SAN). |
tls.client.x509.issuer.common_name | keyword | Extended | List of common name (CN) of issuing certificate authority. |
tls.client.x509.issuer.country | keyword | Extended | List of country (C) codes |
tls.client.x509.issuer.distinguished_name | keyword | Extended | Distinguished name (DN) of issuing certificate authority. |
tls.client.x509.issuer.locality | keyword | Extended | List of locality names (L) |
tls.client.x509.issuer.organization | keyword | Extended | List of organizations (O) of issuing certificate authority. |
tls.client.x509.issuer.organizational_unit | keyword | Extended | List of organizational units (OU) of issuing certificate authority. |
tls.client.x509.issuer.state_or_province | keyword | Extended | List of state or province names (ST, S, or P) |
tls.client.x509.not_after | date | Extended | Time at which the certificate is no longer considered valid. |
tls.client.x509.not_before | date | Extended | Time at which the certificate is first considered valid. |
tls.client.x509.public_key_algorithm | keyword | Extended | Algorithm used to generate the public key. |
tls.client.x509.public_key_curve | keyword | Extended | The curve used by the elliptic curve public key algorithm. This is algorithm specific. |
tls.client.x509.public_key_exponent | long | Extended | Exponent used to derive the public key. This is algorithm specific. |
tls.client.x509.public_key_size | long | Extended | The size of the public key space in bits. |
tls.client.x509.serial_number | keyword | Extended | Unique serial number issued by the certificate authority. |
tls.client.x509.signature_algorithm | keyword | Extended | Identifier for certificate signature algorithm. |
tls.client.x509.subject.common_name | keyword | Extended | List of common names (CN) of subject. |
tls.client.x509.subject.country | keyword | Extended | List of country (C) code |
tls.client.x509.subject.distinguished_name | keyword | Extended | Distinguished name (DN) of the certificate subject entity. |
tls.client.x509.subject.locality | keyword | Extended | List of locality names (L) |
tls.client.x509.subject.organization | keyword | Extended | List of organizations (O) of subject. |
tls.client.x509.subject.organizational_unit | keyword | Extended | List of organizational units (OU) of subject. |
tls.client.x509.subject.state_or_province | keyword | Extended | List of state or province names (ST, S, or P) |
tls.client.x509.version_number | keyword | Extended | Version of x509 format. |
tls.curve | keyword | Extended | String indicating the curve used for the given cipher, when applicable. |
tls.established | boolean | Extended | Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. |
tls.next_protocol | keyword | Extended | String indicating the protocol being tunneled. |
tls.resumed | boolean | Extended | Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. |
tls.server.certificate | keyword | Extended | PEM-encoded stand-alone certificate offered by the server. |
tls.server.certificate_chain | keyword | Extended | Array of PEM-encoded certificates that make up the certificate chain offered by the server. |
tls.server.hash.md5 | keyword | Extended | Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. |
tls.server.hash.sha1 | keyword | Extended | Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. |
tls.server.hash.sha256 | keyword | Extended | Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. |
tls.server.issuer | keyword | Extended | Subject of the issuer of the x.509 certificate presented by the server. |
tls.server.ja3s | keyword | Extended | A hash that identifies servers based on how they perform an SSL/TLS handshake. |
tls.server.not_after | date | Extended | Timestamp indicating when server certificate is no longer considered valid. |
tls.server.not_before | date | Extended | Timestamp indicating when server certificate is first considered valid. |
tls.server.subject | keyword | Extended | Subject of the x.509 certificate presented by the server. |
tls.server.x509.alternative_names | keyword | Extended | List of subject alternative names (SAN). |
tls.server.x509.issuer.common_name | keyword | Extended | List of common name (CN) of issuing certificate authority. |
tls.server.x509.issuer.country | keyword | Extended | List of country (C) codes |
tls.server.x509.issuer.distinguished_name | keyword | Extended | Distinguished name (DN) of issuing certificate authority. |
tls.server.x509.issuer.locality | keyword | Extended | List of locality names (L) |
tls.server.x509.issuer.organization | keyword | Extended | List of organizations (O) of issuing certificate authority. |
tls.server.x509.issuer.organizational_unit | keyword | Extended | List of organizational units (OU) of issuing certificate authority. |
tls.server.x509.issuer.state_or_province | keyword | Extended | List of state or province names (ST, S, or P) |
tls.server.x509.not_after | date | Extended | Time at which the certificate is no longer considered valid. |
tls.server.x509.not_before | date | Extended | Time at which the certificate is first considered valid. |
tls.server.x509.public_key_algorithm | keyword | Extended | Algorithm used to generate the public key. |
tls.server.x509.public_key_curve | keyword | Extended | The curve used by the elliptic curve public key algorithm. This is algorithm specific. |
tls.server.x509.public_key_exponent | long | Extended | Exponent used to derive the public key. This is algorithm specific. |
tls.server.x509.public_key_size | long | Extended | The size of the public key space in bits. |
tls.server.x509.serial_number | keyword | Extended | Unique serial number issued by the certificate authority. |
tls.server.x509.signature_algorithm | keyword | Extended | Identifier for certificate signature algorithm. |
tls.server.x509.subject.common_name | keyword | Extended | List of common names (CN) of subject. |
tls.server.x509.subject.country | keyword | Extended | List of country (C) code |
tls.server.x509.subject.distinguished_name | keyword | Extended | Distinguished name (DN) of the certificate subject entity. |
tls.server.x509.subject.locality | keyword | Extended | List of locality names (L) |
tls.server.x509.subject.organization | keyword | Extended | List of organizations (O) of subject. |
tls.server.x509.subject.organizational_unit | keyword | Extended | List of organizational units (OU) of subject. |
tls.server.x509.subject.state_or_province | keyword | Extended | List of state or province names (ST, S, or P) |
tls.server.x509.version_number | keyword | Extended | Version of x509 format. |
tls.version | keyword | Extended | Numeric part of the version parsed from the original string. |
tls.version_protocol | keyword | Extended | Normalized lowercase protocol name parsed from original string. |
Field Details
tls.cipher
Type: keyword
Level: Extended
Description: String indicating the cipher used during the current connection.
Example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Indexed: true
tls.client.certificate
Type: keyword
Level: Extended
Description: PEM-encoded stand-alone certificate offered by the client.
Example: MII...
Indexed: true
tls.client.certificate_chain
Type: keyword
Level: Extended
Description: Array of PEM-encoded certificates that make up the certificate chain offered by the client.
Example: ["MII...", "MII..."]
Normalization: array
Indexed: true
tls.client.hash.md5
Type: keyword
Level: Extended
Description: Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
Example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC
Indexed: true
tls.client.hash.sha1
Type: keyword
Level: Extended
Description: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
Example: 9E393D93138888D288266C2D915214D1D1CCEB2A
Indexed: true
tls.client.hash.sha256
Type: keyword
Level: Extended
Description: Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
Example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0
Indexed: true
tls.client.issuer
Type: keyword
Level: Extended
Description: Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
Example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com
Indexed: true
tls.client.ja3
Type: keyword
Level: Extended
Description: A hash that identifies clients based on how they perform an SSL/TLS handshake.
Example: d4e5b18d6b55c71272893221c96ba240
Indexed: true
tls.client.not_after
Type: date
Level: Extended
Description: Date/Time indicating when client certificate is no longer considered valid.
Example: 2021-01-01T00:00:00.000Z
Indexed: true
tls.client.not_before
Type: date
Level: Extended
Description: Date/Time indicating when client certificate is first considered valid.
Example: 1970-01-01T00:00:00.000Z
Indexed: true
tls.client.server_name
Type: keyword
Level: Extended
Description: Hostname the client is trying to connect to. Also called the SNI.
Example: www.elastic.co
Indexed: true
tls.client.subject
Type: keyword
Level: Extended
Description: Distinguished name of subject of the x.509 certificate presented by the client.
Example: CN=myclient, OU=Documentation Team, DC=example, DC=com
Indexed: true
tls.client.supported_ciphers
Type: keyword
Level: Extended
Description: Array of ciphers offered by the client during the client hello.
Example: ["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "..."]
Normalization: array
Indexed: true
tls.client.x509.alternative_names
Type: keyword
Level: Extended
Description: List of subject alternative names (SAN).
Example: *.elastic.co
Normalization: array
Indexed: true
tls.client.x509.issuer.common_name
Type: keyword
Level: Extended
Description: List of common name (CN) of issuing certificate authority.
Example: Example SHA2 High Assurance Server CA
Normalization: array
Indexed: true
tls.client.x509.issuer.country
Type: keyword
Level: Extended
Description: List of country (C) codes
Example: US
Normalization: array
Indexed: true
tls.client.x509.issuer.distinguished_name
Type: keyword
Level: Extended
Description: Distinguished name (DN) of issuing certificate authority.
Example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
Indexed: true
tls.client.x509.issuer.locality
Type: keyword
Level: Extended
Description: List of locality names (L)
Example: Mountain View
Normalization: array
Indexed: true
tls.client.x509.issuer.organization
Type: keyword
Level: Extended
Description: List of organizations (O) of issuing certificate authority.
Example: Example Inc
Normalization: array
Indexed: true
tls.client.x509.issuer.organizational_unit
Type: keyword
Level: Extended
Description: List of organizational units (OU) of issuing certificate authority.
Example: www.example.com
Normalization: array
Indexed: true
tls.client.x509.issuer.state_or_province
Type: keyword
Level: Extended
Description: List of state or province names (ST, S, or P)
Example: California
Normalization: array
Indexed: true
tls.client.x509.not_after
Type: date
Level: Extended
Description: Time at which the certificate is no longer considered valid.
Example: 2020-07-16 03:15:39+00:00
Indexed: true
tls.client.x509.not_before
Type: date
Level: Extended
Description: Time at which the certificate is first considered valid.
Example: 2019-08-16 01:40:25+00:00
Indexed: true
tls.client.x509.public_key_algorithm
Type: keyword
Level: Extended
Description: Algorithm used to generate the public key.
Example: RSA
Indexed: true
tls.client.x509.public_key_curve
Type: keyword
Level: Extended
Description: The curve used by the elliptic curve public key algorithm. This is algorithm specific.
Example: nistp521
Indexed: true
tls.client.x509.public_key_exponent
Type: long
Level: Extended
Description: Exponent used to derive the public key. This is algorithm specific.
Example: 65537
Indexed: false
tls.client.x509.public_key_size
Type: long
Level: Extended
Description: The size of the public key space in bits.
Example: 2048
Indexed: true
tls.client.x509.serial_number
Type: keyword
Level: Extended
Description: Unique serial number issued by the certificate authority.
Example: 55FBB9C7DEBF09809D12CCAA
Indexed: true
tls.client.x509.signature_algorithm
Type: keyword
Level: Extended
Description: Identifier for certificate signature algorithm.
Example: SHA256-RSA
Indexed: true
tls.client.x509.subject.common_name
Type: keyword
Level: Extended
Description: List of common names (CN) of subject.
Example: shared.global.example.net
Normalization: array
Indexed: true
tls.client.x509.subject.country
Type: keyword
Level: Extended
Description: List of country (C) code
Example: US
Normalization: array
Indexed: true
tls.client.x509.subject.distinguished_name
Type: keyword
Level: Extended
Description: Distinguished name (DN) of the certificate subject entity.
Example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
Indexed: true
tls.client.x509.subject.locality
Type: keyword
Level: Extended
Description: List of locality names (L)
Example: San Francisco
Normalization: array
Indexed: true
tls.client.x509.subject.organization
Type: keyword
Level: Extended
Description: List of organizations (O) of subject.
Example: Example, Inc.
Normalization: array
Indexed: true
tls.client.x509.subject.organizational_unit
Type: keyword
Level: Extended
Description: List of organizational units (OU) of subject.
Normalization: array
Indexed: true
tls.client.x509.subject.state_or_province
Type: keyword
Level: Extended
Description: List of state or province names (ST, S, or P)
Example: California
Normalization: array
Indexed: true
tls.client.x509.version_number
Type: keyword
Level: Extended
Description: Version of x509 format.
Example: 3
Indexed: true
tls.curve
Type: keyword
Level: Extended
Description: String indicating the curve used for the given cipher, when applicable.
Example: secp256r1
Indexed: true
tls.established
Type: boolean
Level: Extended
Description: Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
Indexed: true
tls.next_protocol
Type: keyword
Level: Extended
Description: String indicating the protocol being tunneled.
Example: http/1.1
Indexed: true
tls.resumed
Type: boolean
Level: Extended
Description: Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
Indexed: true
tls.server.certificate
Type: keyword
Level: Extended
Description: PEM-encoded stand-alone certificate offered by the server.
Example: MII...
Indexed: true
tls.server.certificate_chain
Type: keyword
Level: Extended
Description: Array of PEM-encoded certificates that make up the certificate chain offered by the server.
Example: ["MII...", "MII..."]
Normalization: array
Indexed: true
tls.server.hash.md5
Type: keyword
Level: Extended
Description: Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
Example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC
Indexed: true
tls.server.hash.sha1
Type: keyword
Level: Extended
Description: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
Example: 9E393D93138888D288266C2D915214D1D1CCEB2A
Indexed: true
tls.server.hash.sha256
Type: keyword
Level: Extended
Description: Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
Example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0
Indexed: true
tls.server.issuer
Type: keyword
Level: Extended
Description: Subject of the issuer of the x.509 certificate presented by the server.
Example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com
Indexed: true
tls.server.ja3s
Type: keyword
Level: Extended
Description: A hash that identifies servers based on how they perform an SSL/TLS handshake.
Example: 394441ab65754e2207b1e1b457b3641d
Indexed: true
tls.server.not_after
Type: date
Level: Extended
Description: Timestamp indicating when server certificate is no longer considered valid.
Example: 2021-01-01T00:00:00.000Z
Indexed: true
tls.server.not_before
Type: date
Level: Extended
Description: Timestamp indicating when server certificate is first considered valid.
Example: 1970-01-01T00:00:00.000Z
Indexed: true
tls.server.subject
Type: keyword
Level: Extended
Description: Subject of the x.509 certificate presented by the server.
Example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com
Indexed: true
tls.server.x509.alternative_names
Type: keyword
Level: Extended
Description: List of subject alternative names (SAN).
Example: *.elastic.co
Normalization: array
Indexed: true
tls.server.x509.issuer.common_name
Type: keyword
Level: Extended
Description: List of common name (CN) of issuing certificate authority.
Example: Example SHA2 High Assurance Server CA
Normalization: array
Indexed: true
tls.server.x509.issuer.country
Type: keyword
Level: Extended
Description: List of country (C) codes
Example: US
Normalization: array
Indexed: true
tls.server.x509.issuer.distinguished_name
Type: keyword
Level: Extended
Description: Distinguished name (DN) of issuing certificate authority.
Example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
Indexed: true
tls.server.x509.issuer.locality
Type: keyword
Level: Extended
Description: List of locality names (L)
Example: Mountain View
Normalization: array
Indexed: true
tls.server.x509.issuer.organization
Type: keyword
Level: Extended
Description: List of organizations (O) of issuing certificate authority.
Example: Example Inc
Normalization: array
Indexed: true
tls.server.x509.issuer.organizational_unit
Type: keyword
Level: Extended
Description: List of organizational units (OU) of issuing certificate authority.
Example: www.example.com
Normalization: array
Indexed: true
tls.server.x509.issuer.state_or_province
Type: keyword
Level: Extended
Description: List of state or province names (ST, S, or P)
Example: California
Normalization: array
Indexed: true
tls.server.x509.not_after
Type: date
Level: Extended
Description: Time at which the certificate is no longer considered valid.
Example: 2020-07-16 03:15:39+00:00
Indexed: true
tls.server.x509.not_before
Type: date
Level: Extended
Description: Time at which the certificate is first considered valid.
Example: 2019-08-16 01:40:25+00:00
Indexed: true
tls.server.x509.public_key_algorithm
Type: keyword
Level: Extended
Description: Algorithm used to generate the public key.
Example: RSA
Indexed: true
tls.server.x509.public_key_curve
Type: keyword
Level: Extended
Description: The curve used by the elliptic curve public key algorithm. This is algorithm specific.
Example: nistp521
Indexed: true
tls.server.x509.public_key_exponent
Type: long
Level: Extended
Description: Exponent used to derive the public key. This is algorithm specific.
Example: 65537
Indexed: false
tls.server.x509.public_key_size
Type: long
Level: Extended
Description: The size of the public key space in bits.
Example: 2048
Indexed: true
tls.server.x509.serial_number
Type: keyword
Level: Extended
Description: Unique serial number issued by the certificate authority.
Example: 55FBB9C7DEBF09809D12CCAA
Indexed: true
tls.server.x509.signature_algorithm
Type: keyword
Level: Extended
Description: Identifier for certificate signature algorithm.
Example: SHA256-RSA
Indexed: true
tls.server.x509.subject.common_name
Type: keyword
Level: Extended
Description: List of common names (CN) of subject.
Example: shared.global.example.net
Normalization: array
Indexed: true
tls.server.x509.subject.country
Type: keyword
Level: Extended
Description: List of country (C) code
Example: US
Normalization: array
Indexed: true
tls.server.x509.subject.distinguished_name
Type: keyword
Level: Extended
Description: Distinguished name (DN) of the certificate subject entity.
Example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
Indexed: true
tls.server.x509.subject.locality
Type: keyword
Level: Extended
Description: List of locality names (L)
Example: San Francisco
Normalization: array
Indexed: true
tls.server.x509.subject.organization
Type: keyword
Level: Extended
Description: List of organizations (O) of subject.
Example: Example, Inc.
Normalization: array
Indexed: true
tls.server.x509.subject.organizational_unit
Type: keyword
Level: Extended
Description: List of organizational units (OU) of subject.
Normalization: array
Indexed: true
tls.server.x509.subject.state_or_province
Type: keyword
Level: Extended
Description: List of state or province names (ST, S, or P)
Example: California
Normalization: array
Indexed: true
tls.server.x509.version_number
Type: keyword
Level: Extended
Description: Version of x509 format.
Example: 3
Indexed: true
tls.version
Type: keyword
Level: Extended
Description: Numeric part of the version parsed from the original string.
Example: 1.2
Indexed: true
tls.version_protocol
Type: keyword
Level: Extended
Description: Normalized lowercase protocol name parsed from original string.
Example: tls
Indexed: true