You can store TLS-related metadata under tls., when appropriate.
| Field | Description | Level | Type | Example |
|---|---|---|---|---|
| source.ip | IP address of the source. Can be one or multiple IPv4 or IPv6 addresses. |
core | ip | 10.1.1.10 |
| destination.ip | IP address of the destination. Can be one or multiple IPv4 or IPv6 addresses. |
core | ip | 5.5.5.5 |
| destination.port | Port of the destination. | core | long | 443 |
| tls.version | TLS version. | (use case) | keyword | TLSv1.2 |
| tls.certificates | An array of certificates. | (use case) | keyword | |
| tls.servername | Server name requested by the client. | (use case) | keyword | localhost |
| tls.ciphersuite | Name of the cipher used for the communication. | (use case) | keyword | ECDHE-ECDSA-AES-128-CBC-SHA |