Transport Layer Security (TLS)

tls

The Transport Layer Security (TLS) object describes the negotiated TLS protocol used for secure communications over an establish network connection.

Contents

Attributes

Caption Name Type Is Array Default Description
Client TLS Alert alert Integer The integer value of TLS alert if present. The alerts are defined in the TLS specification in RFC-2246.
Certificate certificate Digital Certificate The certificate object containing information about the digital certificate.
Certificate Chain certificate_chain String The Chain of Certificate Serial Numbers field provides a chain of Certificate Issuer Serial Numbers leading to the Root Certificate Issuer.
Cipher Suite cipher String The negotiated cipher suite.
Client Cipher Suites client_ciphers String The client cipher suites that were exchanged during the TLS handshake negotiation.
Extension List extension_list TLS Extension The list of TLS extensions.

Deprecated since 1.1.0: Use the tls_extension_list attribute instead.

Handshake Duration handshake_dur Integer The amount of total time for the TLS handshake to complete after the TCP connection is established, including client-side delays, in milliseconds.
JA3 Fingerprint ja3_fingerprint Fingerprint The fingerprint of JA3 string.

Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0

JA3 Hash ja3_hash Fingerprint The MD5 hash of a JA3 string.
JA3 String ja3_string String The JA3 string.

Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0

JAS3 Fingerprint ja3s_fingerprint Fingerprint The fingerprint of JAS3 string.

Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0

JA3S Hash ja3s_hash Fingerprint The MD5 hash of a JA3S string.
JAS3 String ja3s_string String The JAS3 string.

Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0

Key Length key_length Integer The length of the encryption key.
Raw Data raw_data JSON The event data as received from the event source.
Record ID record_id String Unique identifier for the object
Subject Alternative Names sans Subject Alternative Name The list of subject alternative names that are secured by a specific certificate.
Server Cipher Suites server_ciphers String The server cipher suites that were exchanged during the TLS handshake negotiation.
Server Name Indication sni String The Server Name Indication (SNI) extension sent by the client.
TLS Extension List tls_extension_list TLS Extension The list of TLS extensions.
Unmapped Data unmapped Unmapped The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.
Version version String The TLS protocol version.

Context

Transport Layer Security (TLS)

JSON

            
{
  "caption": "Transport Layer Security (TLS)",
  "description": "The Transport Layer Security (TLS) object describes the negotiated TLS protocol used for secure communications over an establish network connection.",
  "extends": "object",
  "name": "tls",
  "attributes": {
    "alert": {
      "requirement": "optional",
      "caption": "Client TLS Alert",
      "description": "The integer value of TLS alert if present. The alerts are defined in the TLS specification in <a target='_blank' href='https://datatracker.ietf.org/doc/html/rfc2246'>RFC-2246</a>.",
      "type": "integer_t"
    },
    "certificate": {
      "requirement": "recommended",
      "caption": "Certificate",
      "description": "The certificate object containing information about the digital certificate.",
      "type": "certificate"
    },
    "certificate_chain": {
      "requirement": "recommended",
      "caption": "Certificate Chain",
      "description": "The Chain of Certificate Serial Numbers field provides a chain of Certificate Issuer Serial Numbers leading to the Root Certificate Issuer.",
      "is_array": true,
      "type": "string_t"
    },
    "cipher": {
      "requirement": "recommended",
      "caption": "Cipher Suite",
      "description": "The negotiated cipher suite.",
      "type": "string_t"
    },
    "client_ciphers": {
      "requirement": "recommended",
      "caption": "Client Cipher Suites",
      "description": "The client cipher suites that were exchanged during the TLS handshake negotiation.",
      "is_array": true,
      "type": "string_t"
    },
    "extension_list": {
      "requirement": "optional",
      "@deprecated": {
        "message": "Use the <code> tls_extension_list </code> attribute instead.",
        "since": "1.1.0"
      },
      "caption": "Extension List",
      "description": "The list of TLS extensions.",
      "is_array": true,
      "type": "tls_extension"
    },
    "tls_extension_list": {
      "requirement": "optional",
      "caption": "TLS Extension List",
      "description": "The list of TLS extensions.",
      "is_array": true,
      "type": "tls_extension"
    },
    "handshake_dur": {
      "requirement": "optional",
      "caption": "Handshake Duration",
      "description": "The amount of total time for the TLS handshake to complete after the TCP connection is established, including client-side delays, in milliseconds.",
      "type": "integer_t"
    },
    "ja3_hash": {
      "requirement": "recommended",
      "caption": "JA3 Hash",
      "description": "The MD5 hash of a JA3 string.",
      "type": "fingerprint"
    },
    "ja3s_hash": {
      "requirement": "recommended",
      "caption": "JA3S Hash",
      "description": "The MD5 hash of a JA3S string.",
      "type": "fingerprint"
    },
    "key_length": {
      "requirement": "optional",
      "caption": "Key Length",
      "description": "The length of the encryption key.",
      "type": "integer_t"
    },
    "sans": {
      "requirement": "optional",
      "caption": "Subject Alternative Names",
      "description": "The list of subject alternative names that are secured by a specific certificate.",
      "is_array": true,
      "type": "san"
    },
    "server_ciphers": {
      "requirement": "optional",
      "caption": "Server Cipher Suites",
      "description": "The server cipher suites that were exchanged during the TLS handshake negotiation.",
      "is_array": true,
      "type": "string_t"
    },
    "sni": {
      "requirement": "recommended",
      "caption": "Server Name Indication",
      "description": " The Server Name Indication (SNI) extension sent by the client.",
      "type": "string_t"
    },
    "version": {
      "description": "The TLS protocol version.",
      "requirement": "required",
      "caption": "Version",
      "type": "string_t"
    },
    "raw_data": {
      "group": "context",
      "caption": "Raw Data",
      "description": "The event data as received from the event source.",
      "type": "json_t"
    },
    "record_id": {
      "description": "Unique identifier for the object",
      "group": "primary",
      "requirement": "required",
      "caption": "Record ID",
      "type": "string_t"
    },
    "unmapped": {
      "caption": "Unmapped Data",
      "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.",
      "type": "unmapped",
      "is_array": true
    },
    "ja3s_fingerprint": {
      "requirement": "recommended",
      "caption": "JAS3 Fingerprint",
      "description": "The fingerprint of JAS3 string.",
      "type": "fingerprint",
      "@deprecated": {
        "since": "1.1.0",
        "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
      }
    },
    "ja3_fingerprint": {
      "requirement": "recommended",
      "caption": "JA3 Fingerprint",
      "description": "The fingerprint of JA3 string.",
      "type": "fingerprint",
      "@deprecated": {
        "since": "1.1.0",
        "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
      }
    },
    "ja3_string": {
      "requirement": "recommended",
      "caption": "JA3 String",
      "description": "The JA3 string.",
      "type": "string_t",
      "@deprecated": {
        "since": "1.1.0",
        "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
      }
    },
    "ja3s_string": {
      "requirement": "recommended",
      "caption": "JAS3 String",
      "description": "The JAS3 string.",
      "type": "string_t",
      "@deprecated": {
        "since": "1.1.0",
        "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
      }
    }
  }
}