TLS fields

Elastic Stack Serverless

Fields related to a TLS connection. These fields focus on the TLS protocol itself and intentionally avoids in-depth analysis of the related x.509 certificate files.

TLS field details

Field	Description	Level
tls.cipher	String indicating the cipher used during the current connection. type: keyword example: `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256` tls.cipher	extended
tls.client.certificate	PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list. type: keyword example: `MII...` tls.client.certificate	extended
tls.client.certificate_chain	Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. type: keyword Note: this field should contain an array of values. example: `["MII...", "MII..."]` tls.client.certificate_chain	extended
tls.client.hash.md5	Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. type: keyword example: `0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC` tls.client.hash.md5	extended
tls.client.hash.sha1	Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. type: keyword example: `9E393D93138888D288266C2D915214D1D1CCEB2A` tls.client.hash.sha1	extended
tls.client.hash.sha256	Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. type: keyword example: `0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0` tls.client.hash.sha256	extended
tls.client.issuer	Distinguished name of subject of the issuer of the x.509 certificate presented by the client. type: keyword example: `CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com` tls.client.issuer	extended
tls.client.ja3	A hash that identifies clients based on how they perform an SSL/TLS handshake. type: keyword example: `d4e5b18d6b55c71272893221c96ba240` tls.client.ja3	extended
tls.client.not_after	Date/Time indicating when client certificate is no longer considered valid. type: date example: `2021-01-01T00:00:00.000Z` tls.client.not_after	extended
tls.client.not_before	Date/Time indicating when client certificate is first considered valid. type: date example: `1970-01-01T00:00:00.000Z` tls.client.not_before	extended
tls.client.server_name	Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. type: keyword example: `www.elastic.co`	extended
tls.client.subject	Distinguished name of subject of the x.509 certificate presented by the client. type: keyword example: `CN=myclient, OU=Documentation Team, DC=example, DC=com` tls.client.subject	extended
tls.client.supported_ciphers	Array of ciphers offered by the client during the client hello. type: keyword Note: this field should contain an array of values. example: `["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "..."]` tls.client.supported_ciphers	extended
tls.curve	String indicating the curve used for the given cipher, when applicable. type: keyword example: `secp256r1` tls.curve	extended
tls.established	Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. type: boolean tls.established	extended
tls.next_protocol	String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. type: keyword example: `http/1.1` tls.next_protocol	extended
tls.resumed	Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. type: boolean tls.resumed	extended
tls.server.certificate	PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. type: keyword example: `MII...` tls.server.certificate	extended
tls.server.certificate_chain	Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. type: keyword Note: this field should contain an array of values. example: `["MII...", "MII..."]` tls.server.certificate_chain	extended
tls.server.hash.md5	Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. type: keyword example: `0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC` tls.server.hash.md5	extended
tls.server.hash.sha1	Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. type: keyword example: `9E393D93138888D288266C2D915214D1D1CCEB2A` tls.server.hash.sha1	extended
tls.server.hash.sha256	Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. type: keyword example: `0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0` tls.server.hash.sha256	extended
tls.server.issuer	Subject of the issuer of the x.509 certificate presented by the server. type: keyword example: `CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com` tls.server.issuer	extended
tls.server.ja3s	A hash that identifies servers based on how they perform an SSL/TLS handshake. type: keyword example: `394441ab65754e2207b1e1b457b3641d` tls.server.ja3s	extended
tls.server.not_after	Timestamp indicating when server certificate is no longer considered valid. type: date example: `2021-01-01T00:00:00.000Z` tls.server.not_after	extended
tls.server.not_before	Timestamp indicating when server certificate is first considered valid. type: date example: `1970-01-01T00:00:00.000Z` tls.server.not_before	extended
tls.server.subject	Subject of the x.509 certificate presented by the server. type: keyword example: `CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com` tls.server.subject	extended
tls.version	Numeric part of the version parsed from the original string. type: keyword example: `1.2`	extended
tls.version_protocol	Normalized lowercase protocol name parsed from original string. type: keyword example: `tls`	extended

Field reuse

Field sets that can be nested under TLS

Location	Field Set	Description
`tls.client.x509.*`	x509	These fields contain x509 certificate metadata.
`tls.server.x509.*`	x509	These fields contain x509 certificate metadata.