No TLS details

NogNeetMachinaal · March 8, 2020, 11:25am

See also attached image:

While there seem to be thousands of TLS handshakes, the SIEM-network table with TLS details is empty.

The Packetbeat config details:

- type: tls
  # Configure the ports where to listen for TLS traffic. You can disable
  # the TLS protocol by commenting out the list of ports.
  ports: [ 443, 993, 587, 465, 995 ]

  # Certificate details
  # WLM | 2020mar8
  send_certificates: true
  include_raw_certificates: true
  include_detailed_fields: true
  fingerprints: [ md5, sha1, sha256 ]

What am I overlooking here?

Thanks - Will

andrewkroh · March 12, 2020, 3:57pm

Unfortunately, nothing. We've been working to standardize on Elastic Common Schema and transition the data sources and UI to be fully based on it. The queries in the UI predate TLS being part of the schema. And now it needs an update. I've opened an issue to get this done [SIEM] Update TLS tables for ECS 1.4+ · Issue #60026 · elastic/kibana · GitHub.

system · April 9, 2020, 3:58pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

NogNeetMachinaal · August 31, 2020, 8:54pm

Perhaps somewhat late - but still - thank you!