No TLS details

NogNeetMachinaal · March 8, 2020, 11:25am

See also attached image:

While there seem to be thousands of TLS handshakes, the SIEM-network table with TLS details is empty.

The Packetbeat config details:

- type: tls
  # Configure the ports where to listen for TLS traffic. You can disable
  # the TLS protocol by commenting out the list of ports.
  ports: [ 443, 993, 587, 465, 995 ]

  # Certificate details
  # WLM | 2020mar8
  send_certificates: true
  include_raw_certificates: true
  include_detailed_fields: true
  fingerprints: [ md5, sha1, sha256 ]

What am I overlooking here?

Thanks - Will

andrewkroh · March 12, 2020, 3:57pm

Unfortunately, nothing. We've been working to standardize on Elastic Common Schema and transition the data sources and UI to be fully based on it. The queries in the UI predate TLS being part of the schema. And now it needs an update. I've opened an issue to get this done [SIEM] Update TLS tables for ECS 1.4+ · Issue #60026 · elastic/kibana · GitHub.

system · April 9, 2020, 3:58pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

NogNeetMachinaal · August 31, 2020, 8:54pm

Perhaps somewhat late - but still - thank you!

Topic		Replies	Views
Empty DNS Fields and Tables in Network View SIEM	2	503	August 27, 2019
SIEM Hosts / Networks and Data Not Showing Up SIEM	5	1658	March 18, 2020
SIEM Hosts/All Hosts Tables Empty SIEM	12	2535	September 2, 2019
Zeek filebeat - HTTP and TLS events not fully populating SIEM	4	499	May 9, 2020
[SIEM] Authentications table doesn't show 'Last Success/Failed Source' column if only 'source.ip' is present SIEM	7	391	February 16, 2021

No TLS details

Related Topics