diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index edc5cf66f4..1babc44a78 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -11,6 +11,8 @@ Thanks, you're awesome :-) --> ### Added +* Added fields in `tls.*` to support analysis of TLS protocol events. #606 + ### Improvements ### Deprecated diff --git a/code/go/ecs/tls.go b/code/go/ecs/tls.go new file mode 100644 index 0000000000..fdb5144020 --- /dev/null +++ b/code/go/ecs/tls.go @@ -0,0 +1,154 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by scripts/gocodegen.go - DO NOT EDIT. + +package ecs + +import ( + "time" +) + +// Fields related to a TLS connection. These fields focus on the TLS protocol +// itself and intentionally avoids in-depth analysis of the related x.509 +// certificate files. +type Tls struct { + // Numeric part of the version parsed from the original string. + Version string `ecs:"version"` + + // Normalized lowercase protocol name parsed from original string. + VersionProtocol string `ecs:"version_protocol"` + + // String indicating the cipher used during the current connection. + Cipher string `ecs:"cipher"` + + // String indicating the curve used for the given cipher, when applicable. + Curve string `ecs:"curve"` + + // Boolean flag indicating if this TLS connection was resumed from an + // existing TLS negotiation. + Resumed bool `ecs:"resumed"` + + // Boolean flag indicating if the TLS negotiation was successful and + // transitioned to an encrypted tunnel. + Established bool `ecs:"established"` + + // String indicating the protocol being tunneled. Per the values in the + // IANA registry + // (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), + // this string should be lower case. + NextProtocol string `ecs:"next_protocol"` + + // A hash that identifies clients based on how they perform an SSL/TLS + // handshake. + ClientJa3 string `ecs:"client.ja3"` + + // Also called an SNI, this tells the server which hostname to which the + // client is attempting to connect. When this value is available, it should + // get copied to `destination.domain`. + ClientServerName string `ecs:"client.server_name"` + + // Array of ciphers offered by the client during the client hello. + ClientSupportedCiphers string `ecs:"client.supported_ciphers"` + + // Distinguished name of subject of the x.509 certificate presented by the + // client. + ClientSubject string `ecs:"client.subject"` + + // Distinguished name of subject of the issuer of the x.509 certificate + // presented by the client. + ClientIssuer string `ecs:"client.issuer"` + + // Date/Time indicating when client certificate is first considered valid. + ClientNotBefore time.Time `ecs:"client.not_before"` + + // Date/Time indicating when client certificate is no longer considered + // valid. + ClientNotAfter time.Time `ecs:"client.not_after"` + + // Array of PEM-encoded certificates that make up the certificate chain + // offered by the client. This is usually mutually-exclusive of + // `client.certificate` since that value should be the first certificate in + // the chain. + ClientCertificateChain string `ecs:"client.certificate_chain"` + + // PEM-encoded stand-alone certificate offered by the client. This is + // usually mutually-exclusive of `client.certificate_chain` since this + // value also exists in that list. + ClientCertificate string `ecs:"client.certificate"` + + // Certificate fingerprint using the MD5 digest of DER-encoded version of + // certificate offered by the client. For consistency with other hash + // values, this value should be formatted as an uppercase hash. + ClientHashMd5 string `ecs:"client.hash.md5"` + + // Certificate fingerprint using the SHA1 digest of DER-encoded version of + // certificate offered by the client. For consistency with other hash + // values, this value should be formatted as an uppercase hash. + ClientHashSha1 string `ecs:"client.hash.sha1"` + + // Certificate fingerprint using the SHA256 digest of DER-encoded version + // of certificate offered by the client. For consistency with other hash + // values, this value should be formatted as an uppercase hash. + ClientHashSha256 string `ecs:"client.hash.sha256"` + + // A hash that identifies servers based on how they perform an SSL/TLS + // handshake. + ServerJa3s string `ecs:"server.ja3s"` + + // Array of ciphers offered by the server during the server hello. + ServerSupportedCiphers string `ecs:"server.supported_ciphers"` + + // Subject of the x.509 certificate presented by the server. + ServerSubject string `ecs:"server.subject"` + + // Subject of the issuer of the x.509 certificate presented by the server. + ServerIssuer string `ecs:"server.issuer"` + + // Timestamp indicating when server certificate is first considered valid. + ServerNotBefore time.Time `ecs:"server.not_before"` + + // Timestamp indicating when server certificate is no longer considered + // valid. + ServerNotAfter time.Time `ecs:"server.not_after"` + + // Array of PEM-encoded certificates that make up the certificate chain + // offered by the server. This is usually mutually-exclusive of + // `server.certificate` since that value should be the first certificate in + // the chain. + ServerCertificateChain string `ecs:"server.certificate_chain"` + + // PEM-encoded stand-alone certificate offered by the server. This is + // usually mutually-exclusive of `server.certificate_chain` since this + // value also exists in that list. + ServerCertificate string `ecs:"server.certificate"` + + // Certificate fingerprint using the MD5 digest of DER-encoded version of + // certificate offered by the server. For consistency with other hash + // values, this value should be formatted as an uppercase hash. + ServerHashMd5 string `ecs:"server.hash.md5"` + + // Certificate fingerprint using the SHA1 digest of DER-encoded version of + // certificate offered by the server. For consistency with other hash + // values, this value should be formatted as an uppercase hash. + ServerHashSha1 string `ecs:"server.hash.sha1"` + + // Certificate fingerprint using the SHA256 digest of DER-encoded version + // of certificate offered by the server. For consistency with other hash + // values, this value should be formatted as an uppercase hash. + ServerHashSha256 string `ecs:"server.hash.sha256"` +} diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index e5aa5f247f..bf308f2589 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -3688,6 +3688,351 @@ example: `https://attack.mitre.org/techniques/T1499/` |===== +[[ecs-tls]] +=== TLS Fields + +Fields related to a TLS connection. These fields focus on the TLS protocol itself and intentionally avoids in-depth analysis of the related x.509 certificate files. + +==== TLS Field Details + +[options="header"] +|===== +| Field | Description | Level + +// =============================================================== + +| tls.cipher +| String indicating the cipher used during the current connection. + +type: keyword + +example: `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256` + +| extended + +// =============================================================== + +| tls.client.certificate +| PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list. + +type: keyword + +example: `MII...` + +| extended + +// =============================================================== + +| tls.client.certificate_chain +| Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. + +type: keyword + +example: `['MII...', 'MII...']` + +| extended + +// =============================================================== + +| tls.client.hash.md5 +| Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. + +type: keyword + +example: `0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC` + +| extended + +// =============================================================== + +| tls.client.hash.sha1 +| Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. + +type: keyword + +example: `9E393D93138888D288266C2D915214D1D1CCEB2A` + +| extended + +// =============================================================== + +| tls.client.hash.sha256 +| Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. + +type: keyword + +example: `0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0` + +| extended + +// =============================================================== + +| tls.client.issuer +| Distinguished name of subject of the issuer of the x.509 certificate presented by the client. + +type: keyword + +example: `CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com` + +| extended + +// =============================================================== + +| tls.client.ja3 +| A hash that identifies clients based on how they perform an SSL/TLS handshake. + +type: keyword + +example: `d4e5b18d6b55c71272893221c96ba240` + +| extended + +// =============================================================== + +| tls.client.not_after +| Date/Time indicating when client certificate is no longer considered valid. + +type: date + +example: `2021-01-01T00:00:00.000Z` + +| extended + +// =============================================================== + +| tls.client.not_before +| Date/Time indicating when client certificate is first considered valid. + +type: date + +example: `1970-01-01T00:00:00.000Z` + +| extended + +// =============================================================== + +| tls.client.server_name +| Also called an SNI, this tells the server which hostname to which the client is attempting to connect. When this value is available, it should get copied to `destination.domain`. + +type: keyword + +example: `www.elastic.co` + +| extended + +// =============================================================== + +| tls.client.subject +| Distinguished name of subject of the x.509 certificate presented by the client. + +type: keyword + +example: `CN=myclient, OU=Documentation Team, DC=mydomain, DC=com` + +| extended + +// =============================================================== + +| tls.client.supported_ciphers +| Array of ciphers offered by the client during the client hello. + +type: keyword + +example: `['TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', '...']` + +| extended + +// =============================================================== + +| tls.curve +| String indicating the curve used for the given cipher, when applicable. + +type: keyword + +example: `secp256r1` + +| extended + +// =============================================================== + +| tls.established +| Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. + +type: boolean + + + +| extended + +// =============================================================== + +| tls.next_protocol +| String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. + +type: keyword + +example: `http/1.1` + +| extended + +// =============================================================== + +| tls.resumed +| Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. + +type: boolean + + + +| extended + +// =============================================================== + +| tls.server.certificate +| PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. + +type: keyword + +example: `MII...` + +| extended + +// =============================================================== + +| tls.server.certificate_chain +| Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. + +type: keyword + +example: `['MII...', 'MII...']` + +| extended + +// =============================================================== + +| tls.server.hash.md5 +| Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. + +type: keyword + +example: `0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC` + +| extended + +// =============================================================== + +| tls.server.hash.sha1 +| Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. + +type: keyword + +example: `9E393D93138888D288266C2D915214D1D1CCEB2A` + +| extended + +// =============================================================== + +| tls.server.hash.sha256 +| Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. + +type: keyword + +example: `0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0` + +| extended + +// =============================================================== + +| tls.server.issuer +| Subject of the issuer of the x.509 certificate presented by the server. + +type: keyword + +example: `CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com` + +| extended + +// =============================================================== + +| tls.server.ja3s +| A hash that identifies servers based on how they perform an SSL/TLS handshake. + +type: keyword + +example: `394441ab65754e2207b1e1b457b3641d` + +| extended + +// =============================================================== + +| tls.server.not_after +| Timestamp indicating when server certificate is no longer considered valid. + +type: date + +example: `2021-01-01T00:00:00.000Z` + +| extended + +// =============================================================== + +| tls.server.not_before +| Timestamp indicating when server certificate is first considered valid. + +type: date + +example: `1970-01-01T00:00:00.000Z` + +| extended + +// =============================================================== + +| tls.server.subject +| Subject of the x.509 certificate presented by the server. + +type: keyword + +example: `CN=www.mydomain.com, OU=Infrastructure Team, DC=mydomain, DC=com` + +| extended + +// =============================================================== + +| tls.server.supported_ciphers +| Array of ciphers offered by the server during the server hello. + +type: keyword + +example: `['TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', '...']` + +| extended + +// =============================================================== + +| tls.version +| Numeric part of the version parsed from the original string. + +type: keyword + +example: `1.2` + +| extended + +// =============================================================== + +| tls.version_protocol +| Normalized lowercase protocol name parsed from original string. + +type: keyword + +example: `tls` + +| extended + +// =============================================================== + +|===== + [[ecs-tracing]] === Tracing Fields diff --git a/docs/fields.asciidoc b/docs/fields.asciidoc index 074bcbb837..68bb97a872 100644 --- a/docs/fields.asciidoc +++ b/docs/fields.asciidoc @@ -76,6 +76,8 @@ all fields are defined. | <> | Fields to classify events and alerts according to a threat taxonomy. +| <> | Fields describing a TLS connection. + | <> | Fields related to distributed tracing. | <> | Fields that let you store URLs in various forms. diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index b95ae54007..583ae27f9a 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -2868,6 +2868,231 @@ the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) example: https://attack.mitre.org/techniques/T1499/ + - name: tls + title: TLS + group: 2 + description: Fields related to a TLS connection. These fields focus on the TLS + protocol itself and intentionally avoids in-depth analysis of the related x.509 + certificate files. + type: group + fields: + - name: cipher + level: extended + type: keyword + ignore_above: 1024 + description: String indicating the cipher used during the current connection. + example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 + - name: client.certificate + level: extended + type: keyword + ignore_above: 1024 + description: PEM-encoded stand-alone certificate offered by the client. This + is usually mutually-exclusive of `client.certificate_chain` since this value + also exists in that list. + example: MII... + - name: client.certificate_chain + level: extended + type: keyword + ignore_above: 1024 + description: Array of PEM-encoded certificates that make up the certificate + chain offered by the client. This is usually mutually-exclusive of `client.certificate` + since that value should be the first certificate in the chain. + example: + - MII... + - MII... + - name: client.hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: Certificate fingerprint using the MD5 digest of DER-encoded version + of certificate offered by the client. For consistency with other hash values, + this value should be formatted as an uppercase hash. + example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC + - name: client.hash.sha1 + level: extended + type: keyword + ignore_above: 1024 + description: Certificate fingerprint using the SHA1 digest of DER-encoded version + of certificate offered by the client. For consistency with other hash values, + this value should be formatted as an uppercase hash. + example: 9E393D93138888D288266C2D915214D1D1CCEB2A + - name: client.hash.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: Certificate fingerprint using the SHA256 digest of DER-encoded + version of certificate offered by the client. For consistency with other hash + values, this value should be formatted as an uppercase hash. + example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 + - name: client.issuer + level: extended + type: keyword + ignore_above: 1024 + description: Distinguished name of subject of the issuer of the x.509 certificate + presented by the client. + example: CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com + - name: client.ja3 + level: extended + type: keyword + ignore_above: 1024 + description: A hash that identifies clients based on how they perform an SSL/TLS + handshake. + example: d4e5b18d6b55c71272893221c96ba240 + - name: client.not_after + level: extended + type: date + description: Date/Time indicating when client certificate is no longer considered + valid. + example: '2021-01-01T00:00:00.000Z' + - name: client.not_before + level: extended + type: date + description: Date/Time indicating when client certificate is first considered + valid. + example: '1970-01-01T00:00:00.000Z' + - name: client.server_name + level: extended + type: keyword + ignore_above: 1024 + description: Also called an SNI, this tells the server which hostname to which + the client is attempting to connect. When this value is available, it should + get copied to `destination.domain`. + example: www.elastic.co + - name: client.subject + level: extended + type: keyword + ignore_above: 1024 + description: Distinguished name of subject of the x.509 certificate presented + by the client. + example: CN=myclient, OU=Documentation Team, DC=mydomain, DC=com + - name: client.supported_ciphers + level: extended + type: keyword + ignore_above: 1024 + description: Array of ciphers offered by the client during the client hello. + example: + - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + - '...' + - name: curve + level: extended + type: keyword + ignore_above: 1024 + description: String indicating the curve used for the given cipher, when applicable. + example: secp256r1 + - name: established + level: extended + type: boolean + description: Boolean flag indicating if the TLS negotiation was successful and + transitioned to an encrypted tunnel. + - name: next_protocol + level: extended + type: keyword + ignore_above: 1024 + description: String indicating the protocol being tunneled. Per the values in + the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), + this string should be lower case. + example: http/1.1 + - name: resumed + level: extended + type: boolean + description: Boolean flag indicating if this TLS connection was resumed from + an existing TLS negotiation. + - name: server.certificate + level: extended + type: keyword + ignore_above: 1024 + description: PEM-encoded stand-alone certificate offered by the server. This + is usually mutually-exclusive of `server.certificate_chain` since this value + also exists in that list. + example: MII... + - name: server.certificate_chain + level: extended + type: keyword + ignore_above: 1024 + description: Array of PEM-encoded certificates that make up the certificate + chain offered by the server. This is usually mutually-exclusive of `server.certificate` + since that value should be the first certificate in the chain. + example: + - MII... + - MII... + - name: server.hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: Certificate fingerprint using the MD5 digest of DER-encoded version + of certificate offered by the server. For consistency with other hash values, + this value should be formatted as an uppercase hash. + example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC + - name: server.hash.sha1 + level: extended + type: keyword + ignore_above: 1024 + description: Certificate fingerprint using the SHA1 digest of DER-encoded version + of certificate offered by the server. For consistency with other hash values, + this value should be formatted as an uppercase hash. + example: 9E393D93138888D288266C2D915214D1D1CCEB2A + - name: server.hash.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: Certificate fingerprint using the SHA256 digest of DER-encoded + version of certificate offered by the server. For consistency with other hash + values, this value should be formatted as an uppercase hash. + example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 + - name: server.issuer + level: extended + type: keyword + ignore_above: 1024 + description: Subject of the issuer of the x.509 certificate presented by the + server. + example: CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com + - name: server.ja3s + level: extended + type: keyword + ignore_above: 1024 + description: A hash that identifies servers based on how they perform an SSL/TLS + handshake. + example: 394441ab65754e2207b1e1b457b3641d + - name: server.not_after + level: extended + type: date + description: Timestamp indicating when server certificate is no longer considered + valid. + example: '2021-01-01T00:00:00.000Z' + - name: server.not_before + level: extended + type: date + description: Timestamp indicating when server certificate is first considered + valid. + example: '1970-01-01T00:00:00.000Z' + - name: server.subject + level: extended + type: keyword + ignore_above: 1024 + description: Subject of the x.509 certificate presented by the server. + example: CN=www.mydomain.com, OU=Infrastructure Team, DC=mydomain, DC=com + - name: server.supported_ciphers + level: extended + type: keyword + ignore_above: 1024 + description: Array of ciphers offered by the server during the server hello. + example: + - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + - '...' + - name: version + level: extended + type: keyword + ignore_above: 1024 + description: Numeric part of the version parsed from the original string. + example: '1.2' + - name: version_protocol + level: extended + type: keyword + ignore_above: 1024 + description: Normalized lowercase protocol name parsed from original string. + example: tls - name: tracing title: Tracing group: 2 diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index 9859650b83..f8b96e180d 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -361,6 +361,36 @@ threat.tactic.reference,keyword,extended,https://attack.mitre.org/tactics/TA0040 threat.technique.id,keyword,extended,T1499,1.2.0-dev threat.technique.name,keyword,extended,endpoint denial of service,1.2.0-dev threat.technique.reference,keyword,extended,https://attack.mitre.org/techniques/T1499/,1.2.0-dev +tls.cipher,keyword,extended,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,1.2.0-dev +tls.client.certificate,keyword,extended,MII...,1.2.0-dev +tls.client.certificate_chain,keyword,extended,"['MII...', 'MII...']",1.2.0-dev +tls.client.hash.md5,keyword,extended,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,1.2.0-dev +tls.client.hash.sha1,keyword,extended,9E393D93138888D288266C2D915214D1D1CCEB2A,1.2.0-dev +tls.client.hash.sha256,keyword,extended,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,1.2.0-dev +tls.client.issuer,keyword,extended,"CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com",1.2.0-dev +tls.client.ja3,keyword,extended,d4e5b18d6b55c71272893221c96ba240,1.2.0-dev +tls.client.not_after,date,extended,2021-01-01T00:00:00.000Z,1.2.0-dev +tls.client.not_before,date,extended,1970-01-01T00:00:00.000Z,1.2.0-dev +tls.client.server_name,keyword,extended,www.elastic.co,1.2.0-dev +tls.client.subject,keyword,extended,"CN=myclient, OU=Documentation Team, DC=mydomain, DC=com",1.2.0-dev +tls.client.supported_ciphers,keyword,extended,"['TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', '...']",1.2.0-dev +tls.curve,keyword,extended,secp256r1,1.2.0-dev +tls.established,boolean,extended,,1.2.0-dev +tls.next_protocol,keyword,extended,http/1.1,1.2.0-dev +tls.resumed,boolean,extended,,1.2.0-dev +tls.server.certificate,keyword,extended,MII...,1.2.0-dev +tls.server.certificate_chain,keyword,extended,"['MII...', 'MII...']",1.2.0-dev +tls.server.hash.md5,keyword,extended,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,1.2.0-dev +tls.server.hash.sha1,keyword,extended,9E393D93138888D288266C2D915214D1D1CCEB2A,1.2.0-dev +tls.server.hash.sha256,keyword,extended,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,1.2.0-dev +tls.server.issuer,keyword,extended,"CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com",1.2.0-dev +tls.server.ja3s,keyword,extended,394441ab65754e2207b1e1b457b3641d,1.2.0-dev +tls.server.not_after,date,extended,2021-01-01T00:00:00.000Z,1.2.0-dev +tls.server.not_before,date,extended,1970-01-01T00:00:00.000Z,1.2.0-dev +tls.server.subject,keyword,extended,"CN=www.mydomain.com, OU=Infrastructure Team, DC=mydomain, DC=com",1.2.0-dev +tls.server.supported_ciphers,keyword,extended,"['TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', '...']",1.2.0-dev +tls.version,keyword,extended,1.2,1.2.0-dev +tls.version_protocol,keyword,extended,tls,1.2.0-dev trace.id,keyword,extended,4bf92f3577b34da6a3ce929d0e0e4736,1.2.0-dev transaction.id,keyword,extended,00f067aa0ba902b7,1.2.0-dev url.domain,keyword,extended,www.elastic.co,1.2.0-dev diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index e00c05f372..6e118b3b38 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -4127,6 +4127,367 @@ threat.technique.reference: order: 6 short: Threat technique reference. type: keyword +tls.cipher: + description: String indicating the cipher used during the current connection. + example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 + flat_name: tls.cipher + ignore_above: 1024 + level: extended + name: cipher + order: 2 + short: String indicating the cipher used during the current connection. + type: keyword +tls.client.certificate: + description: PEM-encoded stand-alone certificate offered by the client. This is + usually mutually-exclusive of `client.certificate_chain` since this value also + exists in that list. + example: MII... + flat_name: tls.client.certificate + ignore_above: 1024 + level: extended + name: client.certificate + order: 15 + short: PEM-encoded stand-alone certificate offered by the client. This is usually + mutually-exclusive of `client.certificate_chain` since this value also exists + in that list. + type: keyword +tls.client.certificate_chain: + description: Array of PEM-encoded certificates that make up the certificate chain + offered by the client. This is usually mutually-exclusive of `client.certificate` + since that value should be the first certificate in the chain. + example: + - MII... + - MII... + flat_name: tls.client.certificate_chain + ignore_above: 1024 + level: extended + name: client.certificate_chain + order: 14 + short: Array of PEM-encoded certificates that make up the certificate chain offered + by the client. This is usually mutually-exclusive of `client.certificate` since + that value should be the first certificate in the chain. + type: keyword +tls.client.hash.md5: + description: Certificate fingerprint using the MD5 digest of DER-encoded version + of certificate offered by the client. For consistency with other hash values, + this value should be formatted as an uppercase hash. + example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC + flat_name: tls.client.hash.md5 + ignore_above: 1024 + level: extended + name: client.hash.md5 + order: 16 + short: Certificate fingerprint using the MD5 digest of DER-encoded version of certificate + offered by the client. For consistency with other hash values, this value should + be formatted as an uppercase hash. + type: keyword +tls.client.hash.sha1: + description: Certificate fingerprint using the SHA1 digest of DER-encoded version + of certificate offered by the client. For consistency with other hash values, + this value should be formatted as an uppercase hash. + example: 9E393D93138888D288266C2D915214D1D1CCEB2A + flat_name: tls.client.hash.sha1 + ignore_above: 1024 + level: extended + name: client.hash.sha1 + order: 17 + short: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate + offered by the client. For consistency with other hash values, this value should + be formatted as an uppercase hash. + type: keyword +tls.client.hash.sha256: + description: Certificate fingerprint using the SHA256 digest of DER-encoded version + of certificate offered by the client. For consistency with other hash values, + this value should be formatted as an uppercase hash. + example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 + flat_name: tls.client.hash.sha256 + ignore_above: 1024 + level: extended + name: client.hash.sha256 + order: 18 + short: Certificate fingerprint using the SHA256 digest of DER-encoded version of + certificate offered by the client. For consistency with other hash values, this + value should be formatted as an uppercase hash. + type: keyword +tls.client.issuer: + description: Distinguished name of subject of the issuer of the x.509 certificate + presented by the client. + example: CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com + flat_name: tls.client.issuer + ignore_above: 1024 + level: extended + name: client.issuer + order: 11 + short: Distinguished name of subject of the issuer of the x.509 certificate presented + by the client. + type: keyword +tls.client.ja3: + description: A hash that identifies clients based on how they perform an SSL/TLS + handshake. + example: d4e5b18d6b55c71272893221c96ba240 + flat_name: tls.client.ja3 + ignore_above: 1024 + level: extended + name: client.ja3 + order: 7 + short: A hash that identifies clients based on how they perform an SSL/TLS handshake. + type: keyword +tls.client.not_after: + description: Date/Time indicating when client certificate is no longer considered + valid. + example: '2021-01-01T00:00:00.000Z' + flat_name: tls.client.not_after + level: extended + name: client.not_after + order: 13 + short: Date/Time indicating when client certificate is no longer considered valid. + type: date +tls.client.not_before: + description: Date/Time indicating when client certificate is first considered valid. + example: '1970-01-01T00:00:00.000Z' + flat_name: tls.client.not_before + level: extended + name: client.not_before + order: 12 + short: Date/Time indicating when client certificate is first considered valid. + type: date +tls.client.server_name: + description: Also called an SNI, this tells the server which hostname to which the + client is attempting to connect. When this value is available, it should get copied + to `destination.domain`. + example: www.elastic.co + flat_name: tls.client.server_name + ignore_above: 1024 + level: extended + name: client.server_name + order: 8 + short: Also called an SNI, this tells the server which hostname to which the client + is attempting to connect. When this value is available, it should get copied to + `destination.domain`. + type: keyword +tls.client.subject: + description: Distinguished name of subject of the x.509 certificate presented by + the client. + example: CN=myclient, OU=Documentation Team, DC=mydomain, DC=com + flat_name: tls.client.subject + ignore_above: 1024 + level: extended + name: client.subject + order: 10 + short: Distinguished name of subject of the x.509 certificate presented by the client. + type: keyword +tls.client.supported_ciphers: + description: Array of ciphers offered by the client during the client hello. + example: + - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + - '...' + flat_name: tls.client.supported_ciphers + ignore_above: 1024 + level: extended + name: client.supported_ciphers + order: 9 + short: Array of ciphers offered by the client during the client hello. + type: keyword +tls.curve: + description: String indicating the curve used for the given cipher, when applicable. + example: secp256r1 + flat_name: tls.curve + ignore_above: 1024 + level: extended + name: curve + order: 3 + short: String indicating the curve used for the given cipher, when applicable. + type: keyword +tls.established: + description: Boolean flag indicating if the TLS negotiation was successful and transitioned + to an encrypted tunnel. + flat_name: tls.established + level: extended + name: established + order: 5 + short: Boolean flag indicating if the TLS negotiation was successful and transitioned + to an encrypted tunnel. + type: boolean +tls.next_protocol: + description: String indicating the protocol being tunneled. Per the values in the + IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), + this string should be lower case. + example: http/1.1 + flat_name: tls.next_protocol + ignore_above: 1024 + level: extended + name: next_protocol + order: 6 + short: String indicating the protocol being tunneled. Per the values in the IANA + registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), + this string should be lower case. + type: keyword +tls.resumed: + description: Boolean flag indicating if this TLS connection was resumed from an + existing TLS negotiation. + flat_name: tls.resumed + level: extended + name: resumed + order: 4 + short: Boolean flag indicating if this TLS connection was resumed from an existing + TLS negotiation. + type: boolean +tls.server.certificate: + description: PEM-encoded stand-alone certificate offered by the server. This is + usually mutually-exclusive of `server.certificate_chain` since this value also + exists in that list. + example: MII... + flat_name: tls.server.certificate + ignore_above: 1024 + level: extended + name: server.certificate + order: 26 + short: PEM-encoded stand-alone certificate offered by the server. This is usually + mutually-exclusive of `server.certificate_chain` since this value also exists + in that list. + type: keyword +tls.server.certificate_chain: + description: Array of PEM-encoded certificates that make up the certificate chain + offered by the server. This is usually mutually-exclusive of `server.certificate` + since that value should be the first certificate in the chain. + example: + - MII... + - MII... + flat_name: tls.server.certificate_chain + ignore_above: 1024 + level: extended + name: server.certificate_chain + order: 25 + short: Array of PEM-encoded certificates that make up the certificate chain offered + by the server. This is usually mutually-exclusive of `server.certificate` since + that value should be the first certificate in the chain. + type: keyword +tls.server.hash.md5: + description: Certificate fingerprint using the MD5 digest of DER-encoded version + of certificate offered by the server. For consistency with other hash values, + this value should be formatted as an uppercase hash. + example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC + flat_name: tls.server.hash.md5 + ignore_above: 1024 + level: extended + name: server.hash.md5 + order: 27 + short: Certificate fingerprint using the MD5 digest of DER-encoded version of certificate + offered by the server. For consistency with other hash values, this value should + be formatted as an uppercase hash. + type: keyword +tls.server.hash.sha1: + description: Certificate fingerprint using the SHA1 digest of DER-encoded version + of certificate offered by the server. For consistency with other hash values, + this value should be formatted as an uppercase hash. + example: 9E393D93138888D288266C2D915214D1D1CCEB2A + flat_name: tls.server.hash.sha1 + ignore_above: 1024 + level: extended + name: server.hash.sha1 + order: 28 + short: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate + offered by the server. For consistency with other hash values, this value should + be formatted as an uppercase hash. + type: keyword +tls.server.hash.sha256: + description: Certificate fingerprint using the SHA256 digest of DER-encoded version + of certificate offered by the server. For consistency with other hash values, + this value should be formatted as an uppercase hash. + example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 + flat_name: tls.server.hash.sha256 + ignore_above: 1024 + level: extended + name: server.hash.sha256 + order: 29 + short: Certificate fingerprint using the SHA256 digest of DER-encoded version of + certificate offered by the server. For consistency with other hash values, this + value should be formatted as an uppercase hash. + type: keyword +tls.server.issuer: + description: Subject of the issuer of the x.509 certificate presented by the server. + example: CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com + flat_name: tls.server.issuer + ignore_above: 1024 + level: extended + name: server.issuer + order: 22 + short: Subject of the issuer of the x.509 certificate presented by the server. + type: keyword +tls.server.ja3s: + description: A hash that identifies servers based on how they perform an SSL/TLS + handshake. + example: 394441ab65754e2207b1e1b457b3641d + flat_name: tls.server.ja3s + ignore_above: 1024 + level: extended + name: server.ja3s + order: 19 + short: A hash that identifies servers based on how they perform an SSL/TLS handshake. + type: keyword +tls.server.not_after: + description: Timestamp indicating when server certificate is no longer considered + valid. + example: '2021-01-01T00:00:00.000Z' + flat_name: tls.server.not_after + level: extended + name: server.not_after + order: 24 + short: Timestamp indicating when server certificate is no longer considered valid. + type: date +tls.server.not_before: + description: Timestamp indicating when server certificate is first considered valid. + example: '1970-01-01T00:00:00.000Z' + flat_name: tls.server.not_before + level: extended + name: server.not_before + order: 23 + short: Timestamp indicating when server certificate is first considered valid. + type: date +tls.server.subject: + description: Subject of the x.509 certificate presented by the server. + example: CN=www.mydomain.com, OU=Infrastructure Team, DC=mydomain, DC=com + flat_name: tls.server.subject + ignore_above: 1024 + level: extended + name: server.subject + order: 21 + short: Subject of the x.509 certificate presented by the server. + type: keyword +tls.server.supported_ciphers: + description: Array of ciphers offered by the server during the server hello. + example: + - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + - '...' + flat_name: tls.server.supported_ciphers + ignore_above: 1024 + level: extended + name: server.supported_ciphers + order: 20 + short: Array of ciphers offered by the server during the server hello. + type: keyword +tls.version: + description: Numeric part of the version parsed from the original string. + example: '1.2' + flat_name: tls.version + ignore_above: 1024 + level: extended + name: version + order: 0 + short: Numeric part of the version parsed from the original string. + type: keyword +tls.version_protocol: + description: Normalized lowercase protocol name parsed from original string. + example: tls + flat_name: tls.version_protocol + ignore_above: 1024 + level: extended + name: version_protocol + order: 1 + short: Normalized lowercase protocol name parsed from original string. + type: keyword trace.id: description: 'Unique identifier of the trace. diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 942ee5dfef..17d22ee04c 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -4602,6 +4602,384 @@ threat: short: Fields to classify events and alerts according to a threat taxonomy. title: Threat type: group +tls: + description: Fields related to a TLS connection. These fields focus on the TLS protocol + itself and intentionally avoids in-depth analysis of the related x.509 certificate + files. + fields: + cipher: + description: String indicating the cipher used during the current connection. + example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 + flat_name: tls.cipher + ignore_above: 1024 + level: extended + name: cipher + order: 2 + short: String indicating the cipher used during the current connection. + type: keyword + client.certificate: + description: PEM-encoded stand-alone certificate offered by the client. This + is usually mutually-exclusive of `client.certificate_chain` since this value + also exists in that list. + example: MII... + flat_name: tls.client.certificate + ignore_above: 1024 + level: extended + name: client.certificate + order: 15 + short: PEM-encoded stand-alone certificate offered by the client. This is usually + mutually-exclusive of `client.certificate_chain` since this value also exists + in that list. + type: keyword + client.certificate_chain: + description: Array of PEM-encoded certificates that make up the certificate + chain offered by the client. This is usually mutually-exclusive of `client.certificate` + since that value should be the first certificate in the chain. + example: + - MII... + - MII... + flat_name: tls.client.certificate_chain + ignore_above: 1024 + level: extended + name: client.certificate_chain + order: 14 + short: Array of PEM-encoded certificates that make up the certificate chain + offered by the client. This is usually mutually-exclusive of `client.certificate` + since that value should be the first certificate in the chain. + type: keyword + client.hash.md5: + description: Certificate fingerprint using the MD5 digest of DER-encoded version + of certificate offered by the client. For consistency with other hash values, + this value should be formatted as an uppercase hash. + example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC + flat_name: tls.client.hash.md5 + ignore_above: 1024 + level: extended + name: client.hash.md5 + order: 16 + short: Certificate fingerprint using the MD5 digest of DER-encoded version of + certificate offered by the client. For consistency with other hash values, + this value should be formatted as an uppercase hash. + type: keyword + client.hash.sha1: + description: Certificate fingerprint using the SHA1 digest of DER-encoded version + of certificate offered by the client. For consistency with other hash values, + this value should be formatted as an uppercase hash. + example: 9E393D93138888D288266C2D915214D1D1CCEB2A + flat_name: tls.client.hash.sha1 + ignore_above: 1024 + level: extended + name: client.hash.sha1 + order: 17 + short: Certificate fingerprint using the SHA1 digest of DER-encoded version + of certificate offered by the client. For consistency with other hash values, + this value should be formatted as an uppercase hash. + type: keyword + client.hash.sha256: + description: Certificate fingerprint using the SHA256 digest of DER-encoded + version of certificate offered by the client. For consistency with other hash + values, this value should be formatted as an uppercase hash. + example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 + flat_name: tls.client.hash.sha256 + ignore_above: 1024 + level: extended + name: client.hash.sha256 + order: 18 + short: Certificate fingerprint using the SHA256 digest of DER-encoded version + of certificate offered by the client. For consistency with other hash values, + this value should be formatted as an uppercase hash. + type: keyword + client.issuer: + description: Distinguished name of subject of the issuer of the x.509 certificate + presented by the client. + example: CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com + flat_name: tls.client.issuer + ignore_above: 1024 + level: extended + name: client.issuer + order: 11 + short: Distinguished name of subject of the issuer of the x.509 certificate + presented by the client. + type: keyword + client.ja3: + description: A hash that identifies clients based on how they perform an SSL/TLS + handshake. + example: d4e5b18d6b55c71272893221c96ba240 + flat_name: tls.client.ja3 + ignore_above: 1024 + level: extended + name: client.ja3 + order: 7 + short: A hash that identifies clients based on how they perform an SSL/TLS handshake. + type: keyword + client.not_after: + description: Date/Time indicating when client certificate is no longer considered + valid. + example: '2021-01-01T00:00:00.000Z' + flat_name: tls.client.not_after + level: extended + name: client.not_after + order: 13 + short: Date/Time indicating when client certificate is no longer considered + valid. + type: date + client.not_before: + description: Date/Time indicating when client certificate is first considered + valid. + example: '1970-01-01T00:00:00.000Z' + flat_name: tls.client.not_before + level: extended + name: client.not_before + order: 12 + short: Date/Time indicating when client certificate is first considered valid. + type: date + client.server_name: + description: Also called an SNI, this tells the server which hostname to which + the client is attempting to connect. When this value is available, it should + get copied to `destination.domain`. + example: www.elastic.co + flat_name: tls.client.server_name + ignore_above: 1024 + level: extended + name: client.server_name + order: 8 + short: Also called an SNI, this tells the server which hostname to which the + client is attempting to connect. When this value is available, it should get + copied to `destination.domain`. + type: keyword + client.subject: + description: Distinguished name of subject of the x.509 certificate presented + by the client. + example: CN=myclient, OU=Documentation Team, DC=mydomain, DC=com + flat_name: tls.client.subject + ignore_above: 1024 + level: extended + name: client.subject + order: 10 + short: Distinguished name of subject of the x.509 certificate presented by the + client. + type: keyword + client.supported_ciphers: + description: Array of ciphers offered by the client during the client hello. + example: + - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + - '...' + flat_name: tls.client.supported_ciphers + ignore_above: 1024 + level: extended + name: client.supported_ciphers + order: 9 + short: Array of ciphers offered by the client during the client hello. + type: keyword + curve: + description: String indicating the curve used for the given cipher, when applicable. + example: secp256r1 + flat_name: tls.curve + ignore_above: 1024 + level: extended + name: curve + order: 3 + short: String indicating the curve used for the given cipher, when applicable. + type: keyword + established: + description: Boolean flag indicating if the TLS negotiation was successful and + transitioned to an encrypted tunnel. + flat_name: tls.established + level: extended + name: established + order: 5 + short: Boolean flag indicating if the TLS negotiation was successful and transitioned + to an encrypted tunnel. + type: boolean + next_protocol: + description: String indicating the protocol being tunneled. Per the values in + the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), + this string should be lower case. + example: http/1.1 + flat_name: tls.next_protocol + ignore_above: 1024 + level: extended + name: next_protocol + order: 6 + short: String indicating the protocol being tunneled. Per the values in the + IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), + this string should be lower case. + type: keyword + resumed: + description: Boolean flag indicating if this TLS connection was resumed from + an existing TLS negotiation. + flat_name: tls.resumed + level: extended + name: resumed + order: 4 + short: Boolean flag indicating if this TLS connection was resumed from an existing + TLS negotiation. + type: boolean + server.certificate: + description: PEM-encoded stand-alone certificate offered by the server. This + is usually mutually-exclusive of `server.certificate_chain` since this value + also exists in that list. + example: MII... + flat_name: tls.server.certificate + ignore_above: 1024 + level: extended + name: server.certificate + order: 26 + short: PEM-encoded stand-alone certificate offered by the server. This is usually + mutually-exclusive of `server.certificate_chain` since this value also exists + in that list. + type: keyword + server.certificate_chain: + description: Array of PEM-encoded certificates that make up the certificate + chain offered by the server. This is usually mutually-exclusive of `server.certificate` + since that value should be the first certificate in the chain. + example: + - MII... + - MII... + flat_name: tls.server.certificate_chain + ignore_above: 1024 + level: extended + name: server.certificate_chain + order: 25 + short: Array of PEM-encoded certificates that make up the certificate chain + offered by the server. This is usually mutually-exclusive of `server.certificate` + since that value should be the first certificate in the chain. + type: keyword + server.hash.md5: + description: Certificate fingerprint using the MD5 digest of DER-encoded version + of certificate offered by the server. For consistency with other hash values, + this value should be formatted as an uppercase hash. + example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC + flat_name: tls.server.hash.md5 + ignore_above: 1024 + level: extended + name: server.hash.md5 + order: 27 + short: Certificate fingerprint using the MD5 digest of DER-encoded version of + certificate offered by the server. For consistency with other hash values, + this value should be formatted as an uppercase hash. + type: keyword + server.hash.sha1: + description: Certificate fingerprint using the SHA1 digest of DER-encoded version + of certificate offered by the server. For consistency with other hash values, + this value should be formatted as an uppercase hash. + example: 9E393D93138888D288266C2D915214D1D1CCEB2A + flat_name: tls.server.hash.sha1 + ignore_above: 1024 + level: extended + name: server.hash.sha1 + order: 28 + short: Certificate fingerprint using the SHA1 digest of DER-encoded version + of certificate offered by the server. For consistency with other hash values, + this value should be formatted as an uppercase hash. + type: keyword + server.hash.sha256: + description: Certificate fingerprint using the SHA256 digest of DER-encoded + version of certificate offered by the server. For consistency with other hash + values, this value should be formatted as an uppercase hash. + example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 + flat_name: tls.server.hash.sha256 + ignore_above: 1024 + level: extended + name: server.hash.sha256 + order: 29 + short: Certificate fingerprint using the SHA256 digest of DER-encoded version + of certificate offered by the server. For consistency with other hash values, + this value should be formatted as an uppercase hash. + type: keyword + server.issuer: + description: Subject of the issuer of the x.509 certificate presented by the + server. + example: CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com + flat_name: tls.server.issuer + ignore_above: 1024 + level: extended + name: server.issuer + order: 22 + short: Subject of the issuer of the x.509 certificate presented by the server. + type: keyword + server.ja3s: + description: A hash that identifies servers based on how they perform an SSL/TLS + handshake. + example: 394441ab65754e2207b1e1b457b3641d + flat_name: tls.server.ja3s + ignore_above: 1024 + level: extended + name: server.ja3s + order: 19 + short: A hash that identifies servers based on how they perform an SSL/TLS handshake. + type: keyword + server.not_after: + description: Timestamp indicating when server certificate is no longer considered + valid. + example: '2021-01-01T00:00:00.000Z' + flat_name: tls.server.not_after + level: extended + name: server.not_after + order: 24 + short: Timestamp indicating when server certificate is no longer considered + valid. + type: date + server.not_before: + description: Timestamp indicating when server certificate is first considered + valid. + example: '1970-01-01T00:00:00.000Z' + flat_name: tls.server.not_before + level: extended + name: server.not_before + order: 23 + short: Timestamp indicating when server certificate is first considered valid. + type: date + server.subject: + description: Subject of the x.509 certificate presented by the server. + example: CN=www.mydomain.com, OU=Infrastructure Team, DC=mydomain, DC=com + flat_name: tls.server.subject + ignore_above: 1024 + level: extended + name: server.subject + order: 21 + short: Subject of the x.509 certificate presented by the server. + type: keyword + server.supported_ciphers: + description: Array of ciphers offered by the server during the server hello. + example: + - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + - '...' + flat_name: tls.server.supported_ciphers + ignore_above: 1024 + level: extended + name: server.supported_ciphers + order: 20 + short: Array of ciphers offered by the server during the server hello. + type: keyword + version: + description: Numeric part of the version parsed from the original string. + example: '1.2' + flat_name: tls.version + ignore_above: 1024 + level: extended + name: version + order: 0 + short: Numeric part of the version parsed from the original string. + type: keyword + version_protocol: + description: Normalized lowercase protocol name parsed from original string. + example: tls + flat_name: tls.version_protocol + ignore_above: 1024 + level: extended + name: version_protocol + order: 1 + short: Normalized lowercase protocol name parsed from original string. + type: keyword + group: 2 + name: tls + prefix: tls. + short: Fields describing a TLS connection. + title: TLS + type: group tracing: description: Distributed tracing makes it possible to analyze performance throughout a microservice architecture all in one view. This is accomplished by tracing all diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index d4940b74c5..30425608b0 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -1708,6 +1708,140 @@ } } }, + "tls": { + "properties": { + "cipher": { + "ignore_above": 1024, + "type": "keyword" + }, + "client": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "server_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "supported_ciphers": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "established": { + "type": "boolean" + }, + "next_protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "resumed": { + "type": "boolean" + }, + "server": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3s": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "supported_ciphers": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "version_protocol": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "trace": { "properties": { "id": { diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index 8ae0c64e9a..6d17e0b03d 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -1707,6 +1707,140 @@ } } }, + "tls": { + "properties": { + "cipher": { + "ignore_above": 1024, + "type": "keyword" + }, + "client": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "server_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "supported_ciphers": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "established": { + "type": "boolean" + }, + "next_protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "resumed": { + "type": "boolean" + }, + "server": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3s": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "supported_ciphers": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "version_protocol": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "trace": { "properties": { "id": { diff --git a/generated/legacy/template.json b/generated/legacy/template.json index d8bdc4e974..479e158d44 100644 --- a/generated/legacy/template.json +++ b/generated/legacy/template.json @@ -1123,6 +1123,140 @@ } } }, + "tls": { + "properties": { + "cipher": { + "ignore_above": 1024, + "type": "keyword" + }, + "client": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "server_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "supported_ciphers": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "established": { + "type": "boolean" + }, + "next_protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "resumed": { + "type": "boolean" + }, + "server": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3s": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "supported_ciphers": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "version_protocol": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "tracing": { "properties": { "trace": { diff --git a/schema.json b/schema.json index 29136b9e6e..a3644d68bd 100644 --- a/schema.json +++ b/schema.json @@ -2670,6 +2670,315 @@ "title": "Threat", "type": "group" }, + "tls": { + "description": "Fields related to a TLS connection. These fields focus on the TLS protocol itself and intentionally avoids in-depth analysis of the related x.509 certificate files.\n", + "fields": { + "tls.cipher": { + "description": "String indicating the cipher used during the current connection.", + "example": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", + "footnote": "", + "group": 2, + "level": "extended", + "name": "tls.cipher", + "required": false, + "type": "keyword" + }, + "tls.client.certificate": { + "description": "PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list.", + "example": "MII...", + "footnote": "", + "group": 2, + "level": "extended", + "name": "tls.client.certificate", + "required": false, + "type": "keyword" + }, + "tls.client.certificate_chain": { + "description": "Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain.", + "example": "['MII...', 'MII...']", + "footnote": "", + "group": 2, + "level": "extended", + "name": "tls.client.certificate_chain", + "required": false, + "type": "keyword" + }, + "tls.client.hash.md5": { + "description": "Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash.", + "example": "0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC", + "footnote": "", + "group": 2, + "level": "extended", + "name": "tls.client.hash.md5", + "required": false, + "type": "keyword" + }, + "tls.client.hash.sha1": { + "description": "Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash.", + "example": "9E393D93138888D288266C2D915214D1D1CCEB2A", + "footnote": "", + "group": 2, + "level": "extended", + "name": "tls.client.hash.sha1", + "required": false, + "type": "keyword" + }, + "tls.client.hash.sha256": { + "description": "Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash.", + "example": "0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0", + "footnote": "", + "group": 2, + "level": "extended", + "name": "tls.client.hash.sha256", + "required": false, + "type": "keyword" + }, + "tls.client.issuer": { + "description": "Distinguished name of subject of the issuer of the x.509 certificate presented by the client.", + "example": "CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com", + "footnote": "", + "group": 2, + "level": "extended", + "name": "tls.client.issuer", + "required": false, + "type": "keyword" + }, + "tls.client.ja3": { + "description": "A hash that identifies clients based on how they perform an SSL/TLS handshake.", + "example": "d4e5b18d6b55c71272893221c96ba240", + "footnote": "", + "group": 2, + "level": "extended", + "name": "tls.client.ja3", + "required": false, + "type": "keyword" + }, + "tls.client.not_after": { + "description": "Date/Time indicating when client certificate is no longer considered valid.", + "example": "2021-01-01T00:00:00.000Z", + "footnote": "", + "group": 2, + "level": "extended", + "name": "tls.client.not_after", + "required": false, + "type": "date" + }, + "tls.client.not_before": { + "description": "Date/Time indicating when client certificate is first considered valid.", + "example": "1970-01-01T00:00:00.000Z", + "footnote": "", + "group": 2, + "level": "extended", + "name": "tls.client.not_before", + "required": false, + "type": "date" + }, + "tls.client.server_name": { + "description": "Also called an SNI, this tells the server which hostname to which the client is attempting to connect. When this value is available, it should get copied to `destination.domain`.", + "example": "www.elastic.co", + "footnote": "", + "group": 2, + "level": "extended", + "name": "tls.client.server_name", + "required": false, + "type": "keyword" + }, + "tls.client.subject": { + "description": "Distinguished name of subject of the x.509 certificate presented by the client.", + "example": "CN=myclient, OU=Documentation Team, DC=mydomain, DC=com", + "footnote": "", + "group": 2, + "level": "extended", + "name": "tls.client.subject", + "required": false, + "type": "keyword" + }, + "tls.client.supported_ciphers": { + "description": "Array of ciphers offered by the client during the client hello.", + "example": "['TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', '...']", + "footnote": "", + "group": 2, + "level": "extended", + "name": "tls.client.supported_ciphers", + "required": false, + "type": "keyword" + }, + "tls.curve": { + "description": "String indicating the curve used for the given cipher, when applicable.", + "example": "secp256r1", + "footnote": "", + "group": 2, + "level": "extended", + "name": "tls.curve", + "required": false, + "type": "keyword" + }, + "tls.established": { + "description": "Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.", + "example": "", + "footnote": "", + "group": 2, + "level": "extended", + "name": "tls.established", + "required": false, + "type": "boolean" + }, + "tls.next_protocol": { + "description": "String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case.", + "example": "http/1.1", + "footnote": "", + "group": 2, + "level": "extended", + "name": "tls.next_protocol", + "required": false, + "type": "keyword" + }, + "tls.resumed": { + "description": "Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.", + "example": "", + "footnote": "", + "group": 2, + "level": "extended", + "name": "tls.resumed", + "required": false, + "type": "boolean" + }, + "tls.server.certificate": { + "description": "PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list.", + "example": "MII...", + "footnote": "", + "group": 2, + "level": "extended", + "name": "tls.server.certificate", + "required": false, + "type": "keyword" + }, + "tls.server.certificate_chain": { + "description": "Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain.", + "example": "['MII...', 'MII...']", + "footnote": "", + "group": 2, + "level": "extended", + "name": "tls.server.certificate_chain", + "required": false, + "type": "keyword" + }, + "tls.server.hash.md5": { + "description": "Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash.", + "example": "0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC", + "footnote": "", + "group": 2, + "level": "extended", + "name": "tls.server.hash.md5", + "required": false, + "type": "keyword" + }, + "tls.server.hash.sha1": { + "description": "Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash.", + "example": "9E393D93138888D288266C2D915214D1D1CCEB2A", + "footnote": "", + "group": 2, + "level": "extended", + "name": "tls.server.hash.sha1", + "required": false, + "type": "keyword" + }, + "tls.server.hash.sha256": { + "description": "Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash.", + "example": "0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0", + "footnote": "", + "group": 2, + "level": "extended", + "name": "tls.server.hash.sha256", + "required": false, + "type": "keyword" + }, + "tls.server.issuer": { + "description": "Subject of the issuer of the x.509 certificate presented by the server.", + "example": "CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com", + "footnote": "", + "group": 2, + "level": "extended", + "name": "tls.server.issuer", + "required": false, + "type": "keyword" + }, + "tls.server.ja3s": { + "description": "A hash that identifies servers based on how they perform an SSL/TLS handshake.", + "example": "394441ab65754e2207b1e1b457b3641d", + "footnote": "", + "group": 2, + "level": "extended", + "name": "tls.server.ja3s", + "required": false, + "type": "keyword" + }, + "tls.server.not_after": { + "description": "Timestamp indicating when server certificate is no longer considered valid.", + "example": "2021-01-01T00:00:00.000Z", + "footnote": "", + "group": 2, + "level": "extended", + "name": "tls.server.not_after", + "required": false, + "type": "date" + }, + "tls.server.not_before": { + "description": "Timestamp indicating when server certificate is first considered valid.", + "example": "1970-01-01T00:00:00.000Z", + "footnote": "", + "group": 2, + "level": "extended", + "name": "tls.server.not_before", + "required": false, + "type": "date" + }, + "tls.server.subject": { + "description": "Subject of the x.509 certificate presented by the server.", + "example": "CN=www.mydomain.com, OU=Infrastructure Team, DC=mydomain, DC=com", + "footnote": "", + "group": 2, + "level": "extended", + "name": "tls.server.subject", + "required": false, + "type": "keyword" + }, + "tls.server.supported_ciphers": { + "description": "Array of ciphers offered by the server during the server hello.", + "example": "['TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', '...']", + "footnote": "", + "group": 2, + "level": "extended", + "name": "tls.server.supported_ciphers", + "required": false, + "type": "keyword" + }, + "tls.version": { + "description": "Numeric part of the version parsed from the original string.", + "example": "1.2", + "footnote": "", + "group": 2, + "level": "extended", + "name": "tls.version", + "required": false, + "type": "keyword" + }, + "tls.version_protocol": { + "description": "Normalized lowercase protocol name parsed from original string.", + "example": "tls", + "footnote": "", + "group": 2, + "level": "extended", + "name": "tls.version_protocol", + "required": false, + "type": "keyword" + } + }, + "group": 2, + "name": "tls", + "title": "TLS", + "type": "group" + }, "tracing": { "description": "Distributed tracing makes it possible to analyze performance throughout a microservice architecture all in one view. This is accomplished by tracing all of the requests - from the initial web request in the front-end service - to queries made through multiple back-end services.\n", "fields": { diff --git a/schemas/tls.yml b/schemas/tls.yml new file mode 100644 index 0000000000..d7346bdcfa --- /dev/null +++ b/schemas/tls.yml @@ -0,0 +1,217 @@ +--- +- name: tls + title: TLS + group: 2 + short: Fields describing a TLS connection. + description: > + Fields related to a TLS connection. These fields focus on the TLS protocol itself + and intentionally avoids in-depth analysis of the related x.509 certificate files. + type: group + fields: + + - name: version + level: extended + type: keyword + description: Numeric part of the version parsed from the original string. + example: "1.2" + + - name: version_protocol + level: extended + type: keyword + description: Normalized lowercase protocol name parsed from original string. + example: "tls" + + - name: cipher + type: keyword + level: extended + description: String indicating the cipher used during the current connection. + example: "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" + + - name: curve + type: keyword + level: extended + description: String indicating the curve used for the given cipher, when applicable. + example: "secp256r1" + + - name: resumed + type: boolean + level: extended + description: Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. + + - name: established + type: boolean + level: extended + description: > + Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. + + - name: next_protocol + type: keyword + level: extended + description: > + String indicating the protocol being tunneled. Per the values in the IANA registry + (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), + this string should be lower case. + example: "http/1.1" + + - name: client.ja3 + type: keyword + level: extended + description: A hash that identifies clients based on how they perform an SSL/TLS handshake. + example: d4e5b18d6b55c71272893221c96ba240 + + - name: client.server_name + type: keyword + level: extended + description: > + Also called an SNI, this tells the server which hostname to which the client is attempting to connect. When + this value is available, it should get copied to `destination.domain`. + example: "www.elastic.co" + + - name: client.supported_ciphers + type: keyword + level: extended + description: Array of ciphers offered by the client during the client hello. + example: ["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "..."] + + - name: client.subject + type: keyword + level: extended + description: Distinguished name of subject of the x.509 certificate presented by the client. + example: "CN=myclient, OU=Documentation Team, DC=mydomain, DC=com" + + - name: client.issuer + type: keyword + level: extended + description: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. + example: "CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com" + + - name: client.not_before + type: date + level: extended + description: Date/Time indicating when client certificate is first considered valid. + example: "1970-01-01T00:00:00.000Z" + + - name: client.not_after + type: date + level: extended + description: Date/Time indicating when client certificate is no longer considered valid. + example: "2021-01-01T00:00:00.000Z" + + - name: client.certificate_chain + type: keyword + level: extended + description: > + Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is + usually mutually-exclusive of `client.certificate` since that value should be the first certificate + in the chain. + example: ["MII...", "MII..."] + + - name: client.certificate + type: keyword + level: extended + description: > + PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of + `client.certificate_chain` since this value also exists in that list. + example: "MII..." + + - name: client.hash.md5 + type: keyword + level: extended + description: > + Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. + For consistency with other hash values, this value should be formatted as an uppercase hash. + example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC + + - name: client.hash.sha1 + type: keyword + level: extended + description: > + Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. + For consistency with other hash values, this value should be formatted as an uppercase hash. + example: 9E393D93138888D288266C2D915214D1D1CCEB2A + + - name: client.hash.sha256 + type: keyword + level: extended + description: > + Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. + For consistency with other hash values, this value should be formatted as an uppercase hash. + example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 + + - name: server.ja3s + type: keyword + level: extended + description: A hash that identifies servers based on how they perform an SSL/TLS handshake. + example: 394441ab65754e2207b1e1b457b3641d + + - name: server.supported_ciphers + type: keyword + level: extended + description: Array of ciphers offered by the server during the server hello. + example: ["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "..."] + + - name: server.subject + type: keyword + level: extended + description: Subject of the x.509 certificate presented by the server. + example: "CN=www.mydomain.com, OU=Infrastructure Team, DC=mydomain, DC=com" + + - name: server.issuer + type: keyword + level: extended + description: Subject of the issuer of the x.509 certificate presented by the server. + example: "CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com" + + - name: server.not_before + type: date + level: extended + description: Timestamp indicating when server certificate is first considered valid. + example: "1970-01-01T00:00:00.000Z" + + - name: server.not_after + type: date + level: extended + description: Timestamp indicating when server certificate is no longer considered valid. + example: "2021-01-01T00:00:00.000Z" + + - name: server.certificate_chain + type: keyword + level: extended + description: > + Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is + usually mutually-exclusive of `server.certificate` since that value should be the first certificate + in the chain. + example: ["MII...", "MII..."] + + - name: server.certificate + type: keyword + level: extended + description: > + PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of + `server.certificate_chain` since this value also exists in that list. + example: "MII..." + + - name: server.hash.md5 + type: keyword + level: extended + description: > + Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. + For consistency with other hash values, this value should be formatted as an uppercase hash. + example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC + + - name: server.hash.sha1 + type: keyword + level: extended + description: > + Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. + For consistency with other hash values, this value should be formatted as an uppercase hash. + example: 9E393D93138888D288266C2D915214D1D1CCEB2A + + - name: server.hash.sha256 + type: keyword + level: extended + description: > + Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. + For consistency with other hash values, this value should be formatted as an uppercase hash. + example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 + diff --git a/scripts/go.mod b/scripts/go.mod index f1c1c9c239..8f287b93a0 100644 --- a/scripts/go.mod +++ b/scripts/go.mod @@ -14,3 +14,5 @@ require ( gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 // indirect gopkg.in/yaml.v2 v2.2.2 // indirect ) + +go 1.13 diff --git a/use-cases/tls.md b/use-cases/tls.md index d42636be88..c47849d204 100644 --- a/use-cases/tls.md +++ b/use-cases/tls.md @@ -11,7 +11,7 @@ You can store TLS-related metadata under `tls.`, when appropriate. | [source.ip](../README.md#source.ip) | IP address of the source.
Can be one or multiple IPv4 or IPv6 addresses. | core | ip | `10.1.1.10` | | [destination.ip](../README.md#destination.ip) | IP address of the destination.
Can be one or multiple IPv4 or IPv6 addresses. | core | ip | `5.5.5.5` | | [destination.port](../README.md#destination.port) | Port of the destination. | core | long | `443` | -| *tls.version* | *TLS version.* | (use case) | keyword | `TLSv1.2` | +| [tls.version](../README.md#tls.version) | TLS version. | extended | keyword | `TLSv1.2` | | *tls.certificates* | *An array of certificates.* | (use case) | keyword | | | *tls.servername* | *Server name requested by the client.* | (use case) | keyword | `localhost` | | *tls.ciphersuite* | *Name of the cipher used for the communication.* | (use case) | keyword | `ECDHE-ECDSA-AES-128-CBC-SHA` |