x509 Certificate Fields

edit

This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk.

When the certificate relates to a file, use the fields at file.x509. When hashes of the DER-encoded certificate are available, the hash data set should be populated as well (e.g. file.hash.sha256).

Events that contain certificate information about network connections, should use the x509 fields under the relevant TLS fields: tls.server.x509 and/or tls.client.x509.

x509 Certificate Field Details

edit
Field Description Level

x509.alternative_names

List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.

type: keyword

Note: this field should contain an array of values.

example: *.elastic.co

extended

x509.issuer.common_name

List of common name (CN) of issuing certificate authority.

type: keyword

Note: this field should contain an array of values.

example: Example SHA2 High Assurance Server CA

extended

x509.issuer.country

List of country © codes

type: keyword

Note: this field should contain an array of values.

example: US

extended

x509.issuer.distinguished_name

Distinguished name (DN) of issuing certificate authority.

type: keyword

example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA

extended

x509.issuer.locality

List of locality names (L)

type: keyword

Note: this field should contain an array of values.

example: Mountain View

extended

x509.issuer.organization

List of organizations (O) of issuing certificate authority.

type: keyword

Note: this field should contain an array of values.

example: Example Inc

extended

x509.issuer.organizational_unit

List of organizational units (OU) of issuing certificate authority.

type: keyword

Note: this field should contain an array of values.

example: www.example.com

extended

x509.issuer.state_or_province

List of state or province names (ST, S, or P)

type: keyword

Note: this field should contain an array of values.

example: California

extended

x509.not_after

Time at which the certificate is no longer considered valid.

type: date

example: 2020-07-16T03:15:39Z

extended

x509.not_before

Time at which the certificate is first considered valid.

type: date

example: 2019-08-16T01:40:25Z

extended

x509.public_key_algorithm

Algorithm used to generate the public key.

type: keyword

example: RSA

extended

x509.public_key_curve

The curve used by the elliptic curve public key algorithm. This is algorithm specific.

type: keyword

example: nistp521

extended

x509.public_key_exponent

Exponent used to derive the public key. This is algorithm specific.

type: long

example: 65537

extended

x509.public_key_size

The size of the public key space in bits.

type: long

example: 2048

extended

x509.serial_number

Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.

type: keyword

example: 55FBB9C7DEBF09809D12CCAA

extended

x509.signature_algorithm

Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.

type: keyword

example: SHA256-RSA

extended

x509.subject.common_name

List of common names (CN) of subject.

type: keyword

Note: this field should contain an array of values.

example: shared.global.example.net

extended

x509.subject.country

List of country © code

type: keyword

Note: this field should contain an array of values.

example: US

extended

x509.subject.distinguished_name

Distinguished name (DN) of the certificate subject entity.

type: keyword

example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net

extended

x509.subject.locality

List of locality names (L)

type: keyword

Note: this field should contain an array of values.

example: San Francisco

extended

x509.subject.organization

List of organizations (O) of subject.

type: keyword

Note: this field should contain an array of values.

example: Example, Inc.

extended

x509.subject.organizational_unit

List of organizational units (OU) of subject.

type: keyword

Note: this field should contain an array of values.

extended

x509.subject.state_or_province

List of state or province names (ST, S, or P)

type: keyword

Note: this field should contain an array of values.

example: California

extended

x509.version_number

Version of x509 format.

type: keyword

example: 3

extended

Field Reuse

edit

The x509 fields are expected to be nested at:

  • file.x509
  • threat.enrichments.indicator.x509
  • threat.indicator.x509
  • tls.client.x509
  • tls.server.x509

Note also that the x509 fields are not expected to be used directly at the root of the events.