The version of the TLS protocol used.

type: keyword

example: TLS 1.3

Whether the TLS negotiation has been successful and the session has transitioned to encrypted mode.

type: boolean

If the TLS session has been resumed from a previous session.

type: boolean

If the session has been resumed, the underlying method used. One of "id" for TLS session ID or "ticket" for TLS ticket extension.

type: keyword

Whether the server has requested the client to authenticate itself using a client certificate.

type: boolean

The version of the TLS protocol by which the client wishes to communicate during this session.

type: keyword

List of ciphers the client is willing to use for this session. See https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4

type: array

The list of compression methods the client supports. See https://www.iana.org/assignments/comp-meth-ids/comp-meth-ids.xhtml

type: array

List of hostnames

type: keyword

List of application-layer protocols the client is willing to use.

type: keyword

Length of the session ticket, if provided, or an empty string to advertise support for tickets.

type: keyword

List of TLS versions that the client is willing to use.

type: keyword

List of Elliptic Curve Cryptography (ECC) curve groups supported by the client.

type: keyword

List of signature algorithms that may be use in digital signatures.

type: keyword

List of Elliptic Curve (EC) point formats. Indicates the set of point formats that the client can parse.

type: keyword

List of extensions that were left unparsed by Packetbeat.

type: keyword

The version of the TLS protocol that is used for this session. It is the highest version supported by the server not exceeding the version requested in the client hello.

type: keyword

The cipher suite selected by the server from the list provided by in the client hello.

type: keyword

The compression method selected by the server from the list provided in the client hello.

type: keyword

Unique number to identify the session for the corresponding connection with the client.

type: keyword

Negotiated application layer protocol

type: array

Used to announce that a session ticket will be provided by the server. Always an empty string.

type: keyword

Negotiated TLS version to be used.

type: keyword

List of Elliptic Curve (EC) point formats. Indicates the set of point formats that the server can parse.

type: keyword

List of extensions that were left unparsed by Packetbeat.

type: keyword

X509 format version.

type: long

The certificate’s serial number.

type: keyword

Date before which the certificate is not valid.

type: date

Date after which the certificate expires.

type: date

The algorithm used for this certificate’s public key. One of RSA, DSA or ECDSA.

type: keyword

Size of the public key.

type: long

The algorithm used for the certificate’s signature.

type: keyword

Subject Alternative Names for this certificate.

type: array

The raw certificate in PEM format.

type: keyword

Country code.

type: keyword

Organization name.

type: keyword

Unit within organization.

type: keyword

Province or region within country.

type: keyword

Name or host name identified by the certificate.

type: keyword

Country code.

type: keyword

Organization name.

type: keyword

Unit within organization.

type: keyword

Province or region within country.

type: keyword

Name or host name identified by the certificate.

type: keyword

Certificate’s MD5 fingerprint.

type: keyword

Certificate’s SHA-1 fingerprint.

type: keyword

Certificate’s SHA-256 fingerprint.

type: keyword

X509 format version.

type: long

The certificate’s serial number.

type: keyword

Date before which the certificate is not valid.

type: date

Date after which the certificate expires.

type: date

The algorithm used for this certificate’s public key. One of RSA, DSA or ECDSA.

type: keyword

Size of the public key.

type: long

The algorithm used for the certificate’s signature.

type: keyword

Subject Alternative Names for this certificate.

type: array

The raw certificate in PEM format.

type: keyword

Country code.

type: keyword

Organization name.

type: keyword

Unit within organization.

type: keyword

Province or region within country.

type: keyword

Name or host name identified by the certificate.

type: keyword

Country code.

type: keyword

Organization name.

type: keyword

Unit within organization.

type: keyword

Province or region within country.

type: keyword

Name or host name identified by the certificate.

type: keyword

Certificate’s MD5 fingerprint.

type: keyword

Certificate’s SHA-1 fingerprint.

type: keyword

Certificate’s SHA-256 fingerprint.

type: keyword

Chain of trust for the server certificate.

type: array

Chain of trust for the client certificate.

type: array

An array containing the TLS alert type for every alert received.

type: keyword

The JA3 fingerprint hash for the client side.

type: keyword

The JA3 string used to calculate the hash.

type: keyword