TLS fields

edit

TLS-specific event fields.

tls.version

The version of the TLS protocol used.

type: keyword

example: TLS 1.3

tls.handshake_completed

Whether the TLS negotiation has been successful and the session has transitioned to encrypted mode.

type: boolean

tls.resumed

If the TLS session has been resumed from a previous session.

type: boolean

tls.resumption_method

If the session has been resumed, the underlying method used. One of "id" for TLS session ID or "ticket" for TLS ticket extension.

type: keyword

tls.client_certificate_requested

Whether the server has requested the client to authenticate itself using a client certificate.

type: boolean

tls.client_hello.version

The version of the TLS protocol by which the client wishes to communicate during this session.

type: keyword

tls.client_hello.supported_ciphers

List of ciphers the client is willing to use for this session. See https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4

type: array

tls.client_hello.supported_compression_methods

The list of compression methods the client supports. See https://www.iana.org/assignments/comp-meth-ids/comp-meth-ids.xhtml

type: array

extensions

edit

The hello extensions provided by the client.

tls.client_hello.extensions.server_name_indication

List of hostnames

type: keyword

tls.client_hello.extensions.application_layer_protocol_negotiation

List of application-layer protocols the client is willing to use.

type: keyword

tls.client_hello.extensions.session_ticket

Length of the session ticket, if provided, or an empty string to advertise support for tickets.

type: keyword

tls.client_hello.extensions.supported_versions

List of TLS versions that the client is willing to use.

type: keyword

tls.client_hello.extensions.supported_groups

List of Elliptic Curve Cryptography (ECC) curve groups supported by the client.

type: keyword

tls.client_hello.extensions.signature_algorithms

List of signature algorithms that may be use in digital signatures.

type: keyword

tls.client_hello.extensions.ec_points_formats

List of Elliptic Curve (EC) point formats. Indicates the set of point formats that the client can parse.

type: keyword

tls.client_hello.extensions._unparsed_

List of extensions that were left unparsed by Packetbeat.

type: keyword

tls.server_hello.version

The version of the TLS protocol that is used for this session. It is the highest version supported by the server not exceeding the version requested in the client hello.

type: keyword

tls.server_hello.selected_cipher

The cipher suite selected by the server from the list provided by in the client hello.

type: keyword

tls.server_hello.selected_compression_method

The compression method selected by the server from the list provided in the client hello.

type: keyword

tls.server_hello.session_id

Unique number to identify the session for the corresponding connection with the client.

type: keyword

extensions

edit

The hello extensions provided by the server.

tls.server_hello.extensions.application_layer_protocol_negotiation

Negotiated application layer protocol

type: array

tls.server_hello.extensions.session_ticket

Used to announce that a session ticket will be provided by the server. Always an empty string.

type: keyword

tls.server_hello.extensions.supported_versions

Negotiated TLS version to be used.

type: keyword

tls.server_hello.extensions.ec_points_formats

List of Elliptic Curve (EC) point formats. Indicates the set of point formats that the server can parse.

type: keyword

tls.server_hello.extensions._unparsed_

List of extensions that were left unparsed by Packetbeat.

type: keyword

client_certificate

edit

Certificate provided by the client for authentication.

tls.client_certificate.version

X509 format version.

type: long

tls.client_certificate.serial_number

The certificate’s serial number.

type: keyword

tls.client_certificate.not_before

Date before which the certificate is not valid.

type: date

tls.client_certificate.not_after

Date after which the certificate expires.

type: date

tls.client_certificate.public_key_algorithm

The algorithm used for this certificate’s public key. One of RSA, DSA or ECDSA.

type: keyword

tls.client_certificate.public_key_size

Size of the public key.

type: long

tls.client_certificate.signature_algorithm

The algorithm used for the certificate’s signature.

type: keyword

tls.client_certificate.alternative_names

Subject Alternative Names for this certificate.

type: array

tls.client_certificate.raw

The raw certificate in PEM format.

type: keyword

subject

edit

Subject represented by this certificate.

tls.client_certificate.subject.country

Country code.

type: keyword

tls.client_certificate.subject.organization

Organization name.

type: keyword

tls.client_certificate.subject.organizational_unit

Unit within organization.

type: keyword

tls.client_certificate.subject.province

Province or region within country.

type: keyword

tls.client_certificate.subject.common_name

Name or host name identified by the certificate.

type: keyword

issuer

edit

Entity that issued and signed this certificate.

tls.client_certificate.issuer.country

Country code.

type: keyword

tls.client_certificate.issuer.organization

Organization name.

type: keyword

tls.client_certificate.issuer.organizational_unit

Unit within organization.

type: keyword

tls.client_certificate.issuer.province

Province or region within country.

type: keyword

tls.client_certificate.issuer.common_name

Name or host name identified by the certificate.

type: keyword

tls.client_certificate.fingerprint.md5

Certificate’s MD5 fingerprint.

type: keyword

tls.client_certificate.fingerprint.sha1

Certificate’s SHA-1 fingerprint.

type: keyword

tls.client_certificate.fingerprint.sha256

Certificate’s SHA-256 fingerprint.

type: keyword

server_certificate

edit

Certificate provided by the server for authentication.

tls.server_certificate.version

X509 format version.

type: long

tls.server_certificate.serial_number

The certificate’s serial number.

type: keyword

tls.server_certificate.not_before

Date before which the certificate is not valid.

type: date

tls.server_certificate.not_after

Date after which the certificate expires.

type: date

tls.server_certificate.public_key_algorithm

The algorithm used for this certificate’s public key. One of RSA, DSA or ECDSA.

type: keyword

tls.server_certificate.public_key_size

Size of the public key.

type: long

tls.server_certificate.signature_algorithm

The algorithm used for the certificate’s signature.

type: keyword

tls.server_certificate.alternative_names

Subject Alternative Names for this certificate.

type: array

tls.server_certificate.raw

The raw certificate in PEM format.

type: keyword

subject

edit

Subject represented by this certificate.

tls.server_certificate.subject.country

Country code.

type: keyword

tls.server_certificate.subject.organization

Organization name.

type: keyword

tls.server_certificate.subject.organizational_unit

Unit within organization.

type: keyword

tls.server_certificate.subject.province

Province or region within country.

type: keyword

tls.server_certificate.subject.common_name

Name or host name identified by the certificate.

type: keyword

issuer

edit

Entity that issued and signed this certificate.

tls.server_certificate.issuer.country

Country code.

type: keyword

tls.server_certificate.issuer.organization

Organization name.

type: keyword

tls.server_certificate.issuer.organizational_unit

Unit within organization.

type: keyword

tls.server_certificate.issuer.province

Province or region within country.

type: keyword

tls.server_certificate.issuer.common_name

Name or host name identified by the certificate.

type: keyword

tls.server_certificate.fingerprint.md5

Certificate’s MD5 fingerprint.

type: keyword

tls.server_certificate.fingerprint.sha1

Certificate’s SHA-1 fingerprint.

type: keyword

tls.server_certificate.fingerprint.sha256

Certificate’s SHA-256 fingerprint.

type: keyword

tls.server_certificate_chain

Chain of trust for the server certificate.

type: array

tls.client_certificate_chain

Chain of trust for the client certificate.

type: array

tls.alert_types

An array containing the TLS alert type for every alert received.

type: keyword

fingerprints

edit

Fingerprints for this TLS session.

ja3

edit

JA3 TLS client fingerprint

tls.fingerprints.ja3.hash

The JA3 fingerprint hash for the client side.

type: keyword

tls.fingerprints.ja3.str

The JA3 string used to calculate the hash.

type: keyword