In the information you record about the net flows, it would very helpful to also have the certificate information for SSL/TLS flows.
Often times the reverse lookup on the IP will resolve to something at AWS or Akamai or another CDN provider, but the certificate will reveal information about the real site/application. I know that you already inspect the SSL certificate as part of the security, so you have the information. Adding it to the logs would make it easier to tell what that network flow really is.
Please sign in to leave a comment.