Elasticsearch Integration
Enterprise-scale cryptographic asset discovery with data type separation indexing
Enterprise-scale cryptographic asset discovery with data type separation indexing
TYCHON Quantum Readiness provides comprehensive cryptographic asset visibility in Elasticsearch through native Bulk API integration, data type separation indexing, and ECS-compliant field mapping designed for enterprise-scale deployments.
Automatic routing to specialized indexes: ciphers, keystores, certificates, processes
Supports 100,000+ endpoints with upsert-compatible indexing strategy
Full Elastic Common Schema compatibility with strict field mapping
TYCHON automatically separates data into specialized indexes based on asset type, enabling optimized storage, queries, and management for large-scale deployments.
TYCHON Quantum Readiness provides native Elasticsearch integration through command-line switches with automatic data type separation:
| Switch | Description | Example |
|---|---|---|
| -posttoelastic | Enable posting scan results to Elasticsearch with connectivity test | -posttoelastic |
| -elasticnode | Elasticsearch cluster URL (required) | -elasticnode "https://elastic.company.com:9200" |
| -elasticapikey | Elasticsearch API key for authentication (optional for open clusters) | -elasticapikey "your-api-key" |
| -elasticindex | Custom suffix for data type separation indexes | -elasticindex "mysite" |
| -insecure | Skip SSL certificate verification for HTTPS connections | -insecure |
The -elasticindex parameter now creates multiple specialized indexes with your custom suffix:
-elasticindex "production"-elasticindex "dev-team"TYCHON automatically creates and manages the Elasticsearch index template with ECS-compliant field mappings. You can also create it manually:
Copy and paste this into Elasticsearch Dev Tools:
PUT _index_template/tychon-pqc-template
{
"index_patterns": [
"tychon-pqc-*"
],
"template": {
"settings": {
"index": {
"number_of_shards": 1,
"number_of_replicas": 1,
"codec": "best_compression",
"refresh_interval": "30s",
"mapping": {
"total_fields": {
"limit": 2000
}
}
}
},
"mappings": {
"dynamic": "strict",
"properties": {
"@timestamp": { "type": "date" },
"id": { "type": "keyword", "doc_values": true },
"event": {
"type": "object",
"properties": {
"kind": { "type": "keyword", "ignore_above": 256 },
"category": { "type": "keyword", "ignore_above": 256 },
"action": { "type": "keyword", "ignore_above": 256 },
"dataset": { "type": "keyword", "ignore_above": 256 },
"outcome": { "type": "keyword", "ignore_above": 256 }
}
},
"observer": {
"type": "object",
"properties": {
"hostname": { "type": "keyword", "ignore_above": 256 },
"version": { "type": "keyword", "ignore_above": 256 },
"type": { "type": "keyword", "ignore_above": 256 },
"bigfix_client_installed": { "type": "boolean" },
"bigfix_client_id": { "type": "keyword", "ignore_above": 256 }
}
},
"host": {
"type": "object",
"properties": {
"ip": { "type": "ip" },
"hostname": { "type": "keyword", "ignore_above": 256 }
}
},
"server": {
"type": "object",
"properties": {
"address": { "type": "keyword", "ignore_above": 256 },
"ip": { "type": "ip" },
"port": { "type": "long" }
}
},
"tls": {
"type": "object",
"properties": {
"cipher": { "type": "keyword", "ignore_above": 256 },
"version": { "type": "keyword", "ignore_above": 256 },
"certificate": {
"type": "object",
"properties": {
"subject": { "type": "keyword", "ignore_above": 1024 },
"issuer": { "type": "keyword", "ignore_above": 1024 },
"not_before": { "type": "date" },
"not_after": { "type": "date" },
"is_self_signed": { "type": "boolean" }
}
}
}
},
"ssh": {
"type": "object",
"properties": {
"server": {
"type": "object",
"properties": {
"host_key": {
"type": "object",
"properties": {
"type": { "type": "keyword", "ignore_above": 256 },
"fingerprint_sha256": { "type": "keyword", "ignore_above": 256 },
"bits": { "type": "long" }
}
}
}
}
}
},
"keystore": {
"type": "object",
"properties": {
"type": { "type": "keyword", "ignore_above": 256 },
"accessible": { "type": "boolean" },
"cert_count": { "type": "long" },
"stats": {
"type": "object",
"properties": {
"vulnerable_certificates": { "type": "long" },
"pqc_vulnerable_certificates": { "type": "long" },
"certificate_types": {
"type": "object",
"properties": {
"ca": { "type": "long" },
"end_entity": { "type": "long" }
}
}
}
}
}
},
"crypto": {
"type": "object",
"properties": {
"key_algorithm": { "type": "keyword", "ignore_above": 256 },
"key_size": { "type": "long" },
"signature_algorithm": { "type": "keyword", "ignore_above": 256 }
}
},
"pqc": {
"type": "object",
"properties": {
"vulnerable": { "type": "boolean" },
"ready": { "type": "boolean" },
"readiness": { "type": "keyword", "ignore_above": 256 },
"quantum_risk": { "type": "keyword", "ignore_above": 256 }
}
},
"vulnerability": {
"type": "object",
"properties": {
"is_vulnerable": { "type": "boolean" },
"risk_level": { "type": "keyword", "ignore_above": 256 }
}
},
"quantum_ready": { "type": "boolean" },
"asset_type": { "type": "keyword", "ignore_above": 256 },
"scan_type": { "type": "keyword", "ignore_above": 256 },
"tags": { "type": "keyword", "ignore_above": 256 }
}
}
}
}Alternative command-line approach:
# Download the complete mapping template
curl -o tychon-mapping.json https://raw.githubusercontent.com/tychonio/certscanner/main/dashboards/elastic/mappings/tychon-pqc-mapping.json
# Apply the template to your cluster
curl -X PUT "https://elastic.company.com:9200/_index_template/tychon-pqc-template" \
-H "Content-Type: application/json" \
-H "Authorization: ApiKey your-api-key" \
-d @tychon-mapping.json
# Verify template creation
curl -X GET "https://elastic.company.com:9200/_index_template/tychon-pqc-template" \
-H "Authorization: ApiKey your-api-key" | jq '.index_templates[0].name'TYCHON performs automatic connectivity testing before starting scans:
TYCHON tests Elasticsearch connectivity immediately after version output and before cipher intelligence loading. This provides instant feedback about configuration issues without waiting for complete scans.
Production Environments: By default, TYCHON validates SSL certificates for secure Elasticsearch connections.
Development/Testing: Use the -insecure flag to skip certificate verification for self-signed or invalid certificates.
# Example: Skip SSL verification for self-signed certificates
./certscanner -posttoelastic -elasticnode "https://dev-elastic:9200" -insecureExamples showing how the new -elasticindex parameter creates specialized indexes:
# Remote scan with data type separation (Windows)
.\certscanner-windows-amd64.exe -host example.com `
-posttoelastic `
-elasticnode "https://elastic.company.com:9200" `
-elasticapikey "your-api-key" `
-elasticindex "production"
# Creates: tychon-pqc-ciphers-production, tychon-pqc-certificates-production
# Local comprehensive scan with environment suffix
.\certscanner-windows-amd64.exe -mode local `
-scanfilesystem -scanmemory -scanconnected `
-posttoelastic `
-elasticnode "https://elastic.company.com:9200" `
-elasticapikey "your-api-key" `
-elasticindex "corp-laptops"
# Creates: tychon-pqc-keystores-corp-laptops, tychon-pqc-processes-corp-laptops
# Network discovery with custom suffix
.\certscanner-windows-amd64.exe -cidr 192.168.1.0/24 `
-ports 443,22,8443 `
-cipherscan `
-posttoelastic `
-elasticnode "https://elastic.company.com:9200" `
-elasticapikey "your-api-key" `
-elasticindex "dmz-scan"
# Creates: tychon-pqc-ciphers-dmz-scan, tychon-pqc-ssh-keys-dmz-scan# Remote scan with data type separation (Linux)
./certscanner-linux-amd64 -host example.com \
-posttoelastic \
-elasticnode "https://elastic.company.com:9200" \
-elasticapikey "your-api-key" \
-elasticindex "production"
# Creates: tychon-pqc-ciphers-production, tychon-pqc-certificates-production
# Local comprehensive scan with environment suffix
./certscanner-linux-amd64 -mode local \
-scanfilesystem -scanmemory -scanconnected \
-posttoelastic \
-elasticnode "https://elastic.company.com:9200" \
-elasticapikey "your-api-key" \
-elasticindex "servers"
# Creates: tychon-pqc-keystores-servers, tychon-pqc-processes-servers
# Network discovery with custom suffix
./certscanner-linux-amd64 -cidr 192.168.1.0/24 \
-ports 443,22,8443 \
-cipherscan \
-posttoelastic \
-elasticnode "https://elastic.company.com:9200" \
-elasticapikey "your-api-key" \
-elasticindex "network-scan"
# Creates: tychon-pqc-ciphers-network-scan, tychon-pqc-ssh-keys-network-scan# Remote scan with Elasticsearch output (macOS)
# For Intel Macs:
./certscanner-darwin-amd64 -host example.com \
-posttoelastic \
-elasticnode "https://elastic.company.com:9200" \
-elasticapikey "your-api-key" \
-elasticindex "crypto-assets-$(date +%Y-%m)"
# For Apple Silicon Macs:
./certscanner-darwin-arm64 -host example.com \
-posttoelastic \
-elasticnode "https://elastic.company.com:9200" \
-elasticapikey "your-api-key" \
-elasticindex "crypto-assets-$(date +%Y-%m)"
# Local comprehensive scan (Intel):
./certscanner-darwin-amd64 -mode local \
-scanfilesystem -scanconnected \
-posttoelastic \
-elasticnode "https://elastic.company.com:9200" \
-elasticapikey "your-api-key" \
-elasticindex "crypto-assets-local"
# Local comprehensive scan (Apple Silicon):
./certscanner-darwin-arm64 -mode local \
-scanfilesystem -scanconnected \
-posttoelastic \
-elasticnode "https://elastic.company.com:9200" \
-elasticapikey "your-api-key" \
-elasticindex "crypto-assets-local"
# Network discovery with Elasticsearch (Intel):
./certscanner-darwin-amd64 -cidr 192.168.1.0/24 \
-ports 443,22,8443 \
-cipherscan \
-posttoelastic \
-elasticnode "https://elastic.company.com:9200" \
-elasticapikey "your-api-key" \
-elasticindex "network-crypto-scan"
# Network discovery with Elasticsearch (Apple Silicon):
./certscanner-darwin-arm64 -cidr 192.168.1.0/24 \
-ports 443,22,8443 \
-cipherscan \
-posttoelastic \
-elasticnode "https://elastic.company.com:9200" \
-elasticapikey "your-api-key" \
-elasticindex "network-crypto-scan"
# Note: -scanmemory is not available on macOS
Use the -config parameter to configure and encrypt Elasticsearch credentials for secure reuse. This prevents credentials from being visible in process lists and command history.
TYCHON Quantum Readiness provides secure credential storage using the following configuration parameters:
| Parameter | Description | Purpose |
|---|---|---|
| -config | Configure and encrypt credentials for reuse | Setup encrypted credential storage |
| -config-elasticnode | Elasticsearch node URL to store encrypted | Securely store cluster endpoint |
| -config-elasticapikey | Elasticsearch API Key to store encrypted | Securely store authentication token |
Configure your Elasticsearch credentials once using the configuration parameters. The credentials will be encrypted and stored securely for reuse:
# Configure Elasticsearch credentials (Windows)
# This will encrypt and store the credentials securely
.\certscanner-windows-amd64.exe -config `
-config-elasticnode "https://elastic.company.com:9200" `
-config-elasticapikey "your-elasticsearch-api-key-here"
# Configuration will display success message when completed# Configure Elasticsearch credentials (Linux)
# This will encrypt and store the credentials securely
./certscanner-linux-x64 -config \
-config-elasticnode "https://elastic.company.com:9200" \
-config-elasticapikey "your-elasticsearch-api-key-here"
# Configuration will display success message when completed# Configure Elasticsearch credentials (Intel Mac)
./certscanner-darwin-amd64 -config \
-config-elasticnode "https://elastic.company.com:9200" \
-config-elasticapikey "your-elasticsearch-api-key-here"
# Configure Elasticsearch credentials (Apple Silicon)
./certscanner-darwin-arm64 -config \
-config-elasticnode "https://elastic.company.com:9200" \
-config-elasticapikey "your-elasticsearch-api-key-here"
# Configuration will display success message when completedOnce credentials are configured, use the -posttoelastic parameter without specifying connection details. TYCHON will automatically use the stored encrypted credentials:
# Local comprehensive scan using stored credentials (Windows)
.\certscanner-windows-amd64.exe -mode local `
-scanfilesystem -scanmemory -scanconnected `
-posttoelastic
# Network scan using stored credentials
.\certscanner-windows-amd64.exe -cidr 192.168.1.0/24 `
-ports 443,8443,9443 `
-cipherscan `
-posttoelastic
# Custom index name with stored credentials
.\certscanner-windows-amd64.exe -host example.com `
-cipherscan `
-posttoelastic `
-elasticindex "manual-scan-$(Get-Date -Format 'yyyyMMdd-HHmmss')"
# Comprehensive scan with Outlook archives
.\certscanner-windows-amd64.exe -mode local `
-scanfilesystem -scanmemory -scanconnected -scanoutlookarchives `
-posttoelastic `
-elasticindex "comprehensive-$(Get-Date -Format 'yyyy-MM')"# Local comprehensive scan using stored credentials (Linux)
./certscanner-linux-x64 -mode local \
-scanfilesystem -scanmemory -scanconnected \
-posttoelastic
# Network discovery scan using stored credentials
./certscanner-linux-x64 -arpscan \
-ports 443,22,8443,993,995 \
-cipherscan \
-posttoelastic
# Custom index name with stored credentials
./certscanner-linux-x64 -host example.com \
-cipherscan \
-posttoelastic \
-elasticindex "manual-scan-$(date +%Y%m%d-%H%M%S)"
# Comprehensive scan with file system and memory
./certscanner-linux-x64 -mode local \
-scanfilesystem -scanmemory -scanconnected -scanoutlookarchives \
-posttoelastic \
-elasticindex "comprehensive-$(date +%Y-%m)"# Local comprehensive scan using stored credentials (Intel Mac)
./certscanner-darwin-amd64 -mode local \
-scanfilesystem -scanconnected \
-posttoelastic
# Local comprehensive scan using stored credentials (Apple Silicon)
./certscanner-darwin-arm64 -mode local \
-scanfilesystem -scanconnected \
-posttoelastic
# Network discovery scan using stored credentials (Intel Mac)
./certscanner-darwin-amd64 -arpscan \
-ports 443,22,8443,993,995 \
-cipherscan \
-posttoelastic
# Custom index name with stored credentials (Apple Silicon)
./certscanner-darwin-arm64 -host example.com \
-cipherscan \
-posttoelastic \
-elasticindex "manual-scan-$(date +%Y%m%d-%H%M%S)"
# Comprehensive scan with Outlook archives (Intel Mac)
./certscanner-darwin-amd64 -mode local \
-scanfilesystem -scanconnected -scanoutlookarchives \
-posttoelastic \
-elasticindex "comprehensive-$(date +%Y-%m)"
# Note: -scanmemory is not available on macOS
Note: Configuration management in TYCHON is designed for simplicity. To update credentials, simply run the -config command again with new values. The system will overwrite the previous configuration.
To update stored credentials, run the configuration command again with the new values:
# Update Elasticsearch node URL
./certscanner -config \
-config-elasticnode "https://new-elastic.company.com:9200"
# Update API key (you can update just the API key)
./certscanner -config \
-config-elasticapikey "new-api-key-here"
# Update both node URL and API key together
./certscanner -config \
-config-elasticnode "https://new-elastic.company.com:9200" \
-config-elasticapikey "new-api-key-here"For different environments, configure credentials separately on each system or use environment variables:
# Configure for production environment
.\certscanner-windows-amd64.exe -config `
-config-elasticnode "https://elastic-prod.company.com:9200" `
-config-elasticapikey "$env:ELASTIC_PROD_API_KEY"
# Now use the configured credentials for scanning
.\certscanner-windows-amd64.exe -mode local `
-scanfilesystem -scanmemory -scanconnected `
-posttoelastic
# For development environment, reconfigure with dev credentials
.\certscanner-windows-amd64.exe -config `
-config-elasticnode "https://elastic-dev.company.com:9200" `
-config-elasticapikey "$env:ELASTIC_DEV_API_KEY"# Configure for production environment
./certscanner-linux-x64 -config \
-config-elasticnode "https://elastic-prod.company.com:9200" \
-config-elasticapikey "$ELASTIC_PROD_API_KEY"
# Now use the configured credentials for scanning
./certscanner-linux-x64 -mode local \
-scanfilesystem -scanmemory -scanconnected \
-posttoelastic
# For development environment, reconfigure with dev credentials
./certscanner-linux-x64 -config \
-config-elasticnode "https://elastic-dev.company.com:9200" \
-config-elasticapikey "$ELASTIC_DEV_API_KEY"# Configure for production environment (Intel Mac)
./certscanner-darwin-amd64 -config \
-config-elasticnode "https://elastic-prod.company.com:9200" \
-config-elasticapikey "$ELASTIC_PROD_API_KEY"
# Configure for production environment (Apple Silicon)
./certscanner-darwin-arm64 -config \
-config-elasticnode "https://elastic-prod.company.com:9200" \
-config-elasticapikey "$ELASTIC_PROD_API_KEY"
# Now use the configured credentials for scanning (Intel Mac)
./certscanner-darwin-amd64 -mode local \
-scanfilesystem -scanconnected \
-posttoelastic
# For development environment, reconfigure with dev credentials (Apple Silicon)
./certscanner-darwin-arm64 -config \
-config-elasticnode "https://elastic-dev.company.com:9200" \
-config-elasticapikey "$ELASTIC_DEV_API_KEY"#!/bin/bash
# Secure automated TYCHON scan with encrypted Elasticsearch credentials
# File: /opt/tychon/secure-elasticsearch-scan.sh
set -euo pipefail
CERTSCANNER_PATH="${CERTSCANNER_PATH:-/opt/tychon/certscanner}"
LOG_FILE="/var/log/tychon/elasticsearch-scan.log"
echo "$(date): Starting TYCHON scan with encrypted Elasticsearch credentials..." | tee -a "$LOG_FILE"
SCAN_TYPE="${1:-comprehensive}"
case "$SCAN_TYPE" in
"local")
echo "Executing local system scan..." | tee -a "$LOG_FILE"
$CERTSCANNER_PATH -mode local \
-scanfilesystem -scanmemory -scanconnected \
-posttoelastic
;;
"network")
echo "Executing network discovery scan..." | tee -a "$LOG_FILE"
$CERTSCANNER_PATH -arpscan \
-ports 443,22,8443,993,995 \
-cipherscan \
-posttoelastic
;;
"comprehensive")
echo "Executing comprehensive scan..." | tee -a "$LOG_FILE"
$CERTSCANNER_PATH -mode local \
-scanfilesystem -scanmemory -scanconnected -scanoutlookarchives \
-posttoelastic
# Follow up with network scan
$CERTSCANNER_PATH -arpscan \
-ports 443,22,8443,993,995 \
-cipherscan \
-posttoelastic
;;
*)
echo "ERROR: Unknown scan type: $SCAN_TYPE" | tee -a "$LOG_FILE"
echo "Valid options: local, network, comprehensive" | tee -a "$LOG_FILE"
exit 1
;;
esac
if [[ $? -eq 0 ]]; then
echo "$(date): Scan completed successfully" | tee -a "$LOG_FILE"
echo "Note: Ensure credentials are configured with: $CERTSCANNER_PATH -config -config-elasticnode -config-elasticapikey " | tee -a "$LOG_FILE"
else
echo "$(date): Scan failed" | tee -a "$LOG_FILE"
echo "If credentials are not configured, run: $CERTSCANNER_PATH -config -config-elasticnode -config-elasticapikey " | tee -a "$LOG_FILE"
exit 1
fi # Secure TYCHON Elasticsearch Integration Script
# File: C:\ProgramData\TYCHON\Scripts\Secure-ElasticsearchScan.ps1
param(
[Parameter(Mandatory=$false)]
[ValidateSet("Local", "Network", "Comprehensive")]
[string]$ScanType = "Comprehensive",
[Parameter(Mandatory=$false)]
[string]$CertScannerPath = "C:\Program Files\TYCHON\certscanner-windows-amd64.exe"
)
$ErrorActionPreference = "Stop"
$LogFile = "C:\ProgramData\TYCHON\Logs\elasticsearch-scan.log"
function Write-Log {
param([string]$Message)
$timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
$logEntry = "[$timestamp] $Message"
Write-Host $logEntry
Add-Content -Path $LogFile -Value $logEntry
}
try {
Write-Log "Starting TYCHON scan with encrypted credentials (Type: $ScanType)..."
switch ($ScanType) {
"Local" {
Write-Log "Executing local system scan..."
& $CertScannerPath -mode local `
-scanfilesystem -scanmemory -scanconnected `
-posttoelastic
}
"Network" {
Write-Log "Executing network discovery scan..."
& $CertScannerPath -arpscan `
-ports 443,22,8443,993,995 `
-cipherscan `
-posttoelastic
}
"Comprehensive" {
Write-Log "Executing comprehensive scan..."
# Local scan
& $CertScannerPath -mode local `
-scanfilesystem -scanmemory -scanconnected -scanoutlookarchives `
-posttoelastic
if ($LASTEXITCODE -eq 0) {
# Network scan
& $CertScannerPath -arpscan `
-ports 443,22,8443,993,995 `
-cipherscan `
-posttoelastic
}
}
}
if ($LASTEXITCODE -eq 0) {
Write-Log "Scan completed successfully"
Write-Log "Note: Ensure credentials are configured with: $CertScannerPath -config -config-elasticnode -config-elasticapikey "
} else {
throw "Scan failed with exit code $LASTEXITCODE"
}
} catch {
Write-Log "ERROR: $($_.Exception.Message)"
Write-Log "If credentials are not configured, run: $CertScannerPath -config -config-elasticnode -config-elasticapikey "
exit 1
}
Write-Log "TYCHON Elasticsearch integration completed successfully" Configure ILM policies for efficient crypto asset data management:
# Create ILM policy for TYCHON Quantum Readiness data
PUT _ilm/policy/tychon-policy
{
"policy": {
"phases": {
"hot": {
"min_age": "0ms",
"actions": {
"rollover": {
"max_size": "2GB",
"max_age": "7d",
"max_docs": 100000
},
"set_priority": {
"priority": 100
}
}
},
"warm": {
"min_age": "7d",
"actions": {
"set_priority": {
"priority": 50
},
"allocate": {
"number_of_replicas": 0
}
}
},
"cold": {
"min_age": "30d",
"actions": {
"set_priority": {
"priority": 0
}
}
},
"delete": {
"min_age": "365d",
"actions": {
"delete": {}
}
}
}
}
}# Advanced index template with comprehensive field mappings
PUT _index_template/tychon-enhanced
{
"index_patterns": ["crypto-assets-*", "certscanner-*"],
"template": {
"settings": {
"number_of_shards": 2,
"number_of_replicas": 1,
"index.lifecycle.name": "tychon-policy",
"index.lifecycle.rollover_alias": "crypto-assets-current",
"index.refresh_interval": "30s",
"index.mapping.total_fields.limit": 2000
},
"mappings": {
"properties": {
"@timestamp": { "type": "date" },
"event": {
"properties": {
"category": { "type": "keyword" },
"type": { "type": "keyword" },
"outcome": { "type": "keyword" }
}
},
"observer": {
"properties": {
"hostname": { "type": "keyword" },
"version": { "type": "keyword" },
"type": { "type": "keyword" },
"bigfix_client_installed": { "type": "boolean" },
"bigfix_client_id": { "type": "keyword" }
}
},
"host": {
"properties": {
"ip": { "type": "ip" },
"hostname": { "type": "keyword" },
"os": {
"properties": {
"family": { "type": "keyword" },
"platform": { "type": "keyword" }
}
}
}
},
"network": {
"properties": {
"transport": { "type": "keyword" },
"protocol": { "type": "keyword" }
}
},
"destination": {
"properties": {
"ip": { "type": "ip" },
"port": { "type": "integer" },
"domain": { "type": "keyword" }
}
},
"quantum_ready_kx": { "type": "boolean" },
"quantum_ready_cipher": { "type": "boolean" },
"quantum_ready_cert": { "type": "boolean" },
"quantum_ready": { "type": "boolean" },
"tls": {
"properties": {
"version": { "type": "keyword" },
"version_protocol": { "type": "keyword" },
"cipher": { "type": "keyword" },
"curve": { "type": "keyword" },
"established": { "type": "boolean" },
"next_protocol": { "type": "keyword" },
"certificate": {
"properties": {
"subject": {
"properties": {
"common_name": { "type": "keyword" },
"organization": { "type": "keyword" },
"organizational_unit": { "type": "keyword" },
"country": { "type": "keyword" }
}
},
"issuer": {
"properties": {
"common_name": { "type": "keyword" },
"organization": { "type": "keyword" },
"country": { "type": "keyword" }
}
},
"not_before": { "type": "date" },
"not_after": { "type": "date" },
"fingerprint_sha256": { "type": "keyword" },
"fingerprint_sha1": { "type": "keyword" },
"serial_number": { "type": "keyword" },
"signature_algorithm": { "type": "keyword" },
"public_key_algorithm": { "type": "keyword" },
"public_key_size": { "type": "integer" },
"extensions": {
"properties": {
"subject_alternative_name": { "type": "keyword" },
"key_usage": { "type": "keyword" },
"extended_key_usage": { "type": "keyword" }
}
}
}
}
}
},
"ssh": {
"properties": {
"host_key": {
"properties": {
"algorithm": { "type": "keyword" },
"fingerprint": { "type": "keyword" },
"length": { "type": "integer" }
}
},
"server": {
"properties": {
"version": { "type": "keyword" },
"banner": { "type": "text" }
}
}
}
},
"tychon": {
"properties": {
"pqc_vulnerable": { "type": "boolean" },
"security_level": { "type": "keyword" },
"type": { "type": "keyword" },
"risk_score": { "type": "float" },
"recommendations": { "type": "text" }
}
},
"quantum_readiness": {
"properties": {
"total_score": { "type": "integer" },
"max_score": { "type": "integer" },
"percentage": { "type": "float" },
"system_classification": { "type": "keyword" },
"critical_failures": { "type": "text" },
"assessment_enabled": { "type": "boolean" },
"hardware_assessment": {
"properties": {
"score": { "type": "integer" },
"max_score": { "type": "integer" },
"cpu_info": { "type": "text" },
"total_memory_gb": { "type": "float" },
"security_hardware": { "type": "keyword" }
}
},
"os_assessment": {
"properties": {
"score": { "type": "integer" },
"max_score": { "type": "integer" },
"version_support": { "type": "keyword" },
"crypto_frameworks": { "type": "keyword" }
}
},
"crypto_libraries": {
"properties": {
"score": { "type": "integer" },
"max_score": { "type": "integer" },
"openssl_version": { "type": "keyword" },
"system_crypto": { "type": "keyword" }
}
},
"network_assessment": {
"properties": {
"score": { "type": "integer" },
"max_score": { "type": "integer" },
"bandwidth_capable": { "type": "boolean" },
"protocol_support": { "type": "keyword" }
}
}
}
},
"scan": {
"properties": {
"mode": { "type": "keyword" },
"target": { "type": "keyword" },
"duration_ms": { "type": "long" },
"options": { "type": "keyword" }
}
},
"keystore": {
"properties": {
"type": { "type": "keyword" },
"path": { "type": "keyword" },
"accessible": { "type": "boolean" },
"requires_auth": { "type": "boolean" },
"cert_count": { "type": "integer" },
"owner": { "type": "keyword" },
"permissions": { "type": "keyword" },
"error_message": { "type": "text" },
"stats": {
"properties": {
"vulnerable_certificates": { "type": "integer" },
"pqc_vulnerable_certificates": { "type": "integer" },
"expired_certificates": { "type": "integer" },
"expiring_soon_certificates": { "type": "integer" },
"certificate_types": { "type": "object" },
"key_algorithms": { "type": "object" }
}
}
}
},
"crypto": {
"properties": {
"key_algorithm": { "type": "keyword" },
"key_size": { "type": "integer" },
"signature_algorithm": { "type": "keyword" },
"fingerprint_sha1": { "type": "keyword" }
}
},
"vulnerability": {
"properties": {
"is_vulnerable": { "type": "boolean" },
"risk_level": { "type": "keyword" },
"risk_reason": { "type": "text" },
"cve_list": { "type": "keyword" },
"fixed_in_version": { "type": "keyword" }
}
},
"pqc": {
"properties": {
"vulnerable": { "type": "boolean" },
"reason": { "type": "text" }
}
},
"active": { "type": "boolean" },
"last_seen": { "type": "date" }
}
}
}
}Execute TYCHON Quantum Readiness with direct Elasticsearch posting for immediate indexing:
#!/bin/bash
# Direct Elasticsearch Integration Script
ELASTIC_URL="https://elastic.company.com:9200"
ELASTIC_API_KEY="your-elasticsearch-api-key"
INDEX_PREFIX="crypto-assets"
CERTSCANNER_PATH="/opt/certscanner/certscanner"
# Get current date for index naming
CURRENT_DATE=$(date +"%Y-%m")
INDEX_NAME="${INDEX_PREFIX}-${CURRENT_DATE}"
echo "🔍 Starting TYCHON Quantum Readiness with Elasticsearch integration..."
echo "Target: $ELASTIC_URL"
echo "Index: $INDEX_NAME"
# Execute comprehensive local scan
$CERTSCANNER_PATH -mode local \
-scanfilesystem \
-scanmemory \
-scanconnected \
-scanoutlookarchives \
-posttoelastic \
-elasticnode "$ELASTIC_URL" \
-elasticapikey "$ELASTIC_API_KEY" \
-elasticindex "$INDEX_NAME" \
-tags "environment:production,scan_type:comprehensive,source:direct"
if [ $? -eq 0 ]; then
echo "✅ Scan completed successfully and posted to Elasticsearch"
# Query Elasticsearch to verify data ingestion
curl -X GET "${ELASTIC_URL}/${INDEX_NAME}/_count" \
-H "Authorization: ApiKey ${ELASTIC_API_KEY}" \
-H "Content-Type: application/json"
else
echo "❌ TYCHON Quantum Readiness execution failed"
exit 1
fiSet up automated scanning with cron for continuous monitoring:
#!/bin/bash
# /opt/certscanner/elasticsearch-scheduled-scan.sh
# Automated TYCHON Quantum Readiness execution with Elasticsearch integration
ELASTIC_URL="${ELASTIC_URL:-https://elastic.company.com:9200}"
ELASTIC_API_KEY="${ELASTIC_API_KEY}"
LOG_DIR="/var/log/certscanner"
CERTSCANNER_PATH="/opt/certscanner/certscanner"
# Ensure log directory exists
mkdir -p "$LOG_DIR"
# Generate index with timestamp
TIMESTAMP=$(date +"%Y-%m-%d-%H")
INDEX_NAME="crypto-assets-${TIMESTAMP}"
# Log execution start
echo "$(date): Starting scheduled TYCHON Quantum Readiness execution" >> "$LOG_DIR/elasticsearch-integration.log"
# Execute scan based on scan type parameter
SCAN_TYPE="${1:-comprehensive}"
case "$SCAN_TYPE" in
"quick")
echo "🚀 Executing quick connectivity scan..."
$CERTSCANNER_PATH -mode local \
-scanconnected \
-quickscan \
-posttoelastic \
-elasticnode "$ELASTIC_URL" \
-elasticapikey "$ELASTIC_API_KEY" \
-elasticindex "crypto-connectivity-$TIMESTAMP" \
-tags "scan_type:quick,environment:production,schedule:automated"
;;
"comprehensive")
echo "🔍 Executing comprehensive crypto scan..."
$CERTSCANNER_PATH -mode local \
-scanfilesystem \
-scanmemory \
-scanconnected \
-scanoutlookarchives \
-posttoelastic \
-elasticnode "$ELASTIC_URL" \
-elasticapikey "$ELASTIC_API_KEY" \
-elasticindex "$INDEX_NAME" \
-tags "scan_type:comprehensive,environment:production,schedule:automated"
;;
"network")
echo "🌐 Executing network discovery scan..."
$CERTSCANNER_PATH -arpscan \
-ports 443,22,8443,993,995,465 \
-cipherscan \
-posttoelastic \
-elasticnode "$ELASTIC_URL" \
-elasticapikey "$ELASTIC_API_KEY" \
-elasticindex "crypto-network-$TIMESTAMP" \
-tags "scan_type:network,environment:production,schedule:automated"
;;
*)
echo "❌ Unknown scan type: $SCAN_TYPE"
echo "Valid options: quick, comprehensive, network"
exit 1
;;
esac
EXIT_CODE=$?
if [ $EXIT_CODE -eq 0 ]; then
echo "$(date): Scan completed successfully, data posted to $INDEX_NAME" >> "$LOG_DIR/elasticsearch-integration.log"
# Verify data ingestion
sleep 5 # Allow time for indexing
DOC_COUNT=$(curl -s -X GET "${ELASTIC_URL}/${INDEX_NAME}/_count" \
-H "Authorization: ApiKey ${ELASTIC_API_KEY}" | \
jq -r '.count // "unknown"')
echo "📊 Documents indexed: $DOC_COUNT"
echo "$(date): $DOC_COUNT documents indexed in $INDEX_NAME" >> "$LOG_DIR/elasticsearch-integration.log"
else
echo "$(date): Scan failed with exit code $EXIT_CODE" >> "$LOG_DIR/elasticsearch-integration.log"
exit $EXIT_CODE
fi# Edit crontab
crontab -e
# Add scheduled TYCHON Quantum Readiness executions
# Quick connectivity scan every 15 minutes
*/15 * * * * /opt/certscanner/elasticsearch-scheduled-scan.sh quick
# Comprehensive scan every 4 hours
0 */4 * * * /opt/certscanner/elasticsearch-scheduled-scan.sh comprehensive
# Network discovery scan daily at 2 AM
0 2 * * * /opt/certscanner/elasticsearch-scheduled-scan.sh network#!/bin/bash
# Multi-node TYCHON Quantum Readiness deployment with Elasticsearch
# Deploy across multiple hosts with centralized Elasticsearch
HOSTS_FILE="${1:-/etc/certscanner/hosts.txt}"
ELASTIC_URL="${ELASTIC_URL:-https://elastic.company.com:9200}"
ELASTIC_API_KEY="${ELASTIC_API_KEY}"
CERTSCANNER_BINARY="/opt/certscanner/certscanner"
if [ ! -f "$HOSTS_FILE" ]; then
echo "❌ Hosts file not found: $HOSTS_FILE"
echo "Create a file with one hostname/IP per line"
exit 1
fi
echo "🚀 Starting distributed TYCHON Quantum Readiness deployment to Elasticsearch..."
# Create deployment index for tracking
DEPLOYMENT_INDEX="tychon-deployment-$(date +%Y-%m-%d)"
while IFS= read -r host; do
[ -z "$host" ] && continue
[ "${host:0:1}" = "#" ] && continue # Skip comments
echo "📡 Deploying to host: $host"
# Execute remote scan via SSH
ssh -o ConnectTimeout=10 "$host" "
# Download TYCHON Quantum Readiness if not present
if [ ! -f '$CERTSCANNER_BINARY' ]; then
echo 'Downloading TYCHON Quantum Readiness...'
mkdir -p /opt/certscanner
wget -O '$CERTSCANNER_BINARY' 'https://github.com/tychonio/certscanner/releases/latest/download/certscanner-linux-x64'
chmod +x '$CERTSCANNER_BINARY'
fi
# Execute scan with Elasticsearch integration
'$CERTSCANNER_BINARY' -mode local \
-scanfilesystem \
-scanconnected \
-posttoelastic \
-elasticnode '$ELASTIC_URL' \
-elasticapikey '$ELASTIC_API_KEY' \
-elasticindex 'crypto-assets-distributed-$(date +%Y-%m)' \
-tags 'deployment:distributed,host:$host,source:ssh'
" &
# Limit concurrent executions
(($(jobs -r | wc -l) >= 5)) && wait
done < "$HOSTS_FILE"
# Wait for all background jobs to complete
wait
echo "✅ Distributed deployment completed"
# Generate deployment summary
curl -X GET "${ELASTIC_URL}/crypto-assets-distributed-*/_search" \
-H "Authorization: ApiKey ${ELASTIC_API_KEY}" \
-H "Content-Type: application/json" \
-d '{
"size": 0,
"aggs": {
"hosts": {
"terms": {
"field": "host.hostname",
"size": 100
},
"aggs": {
"assets": {
"value_count": {
"field": "_id"
}
}
}
}
}
}' | jq '.aggregations.hosts.buckets[] | {host: .key, assets: .assets.value}'# docker-compose.yml for TYCHON Quantum Readiness with Elasticsearch
version: '3.8'
services:
tychon-scanner-scheduler:
image: tychon-acdi:latest
environment:
- ELASTIC_URL=https://elastic.company.com:9200
- ELASTIC_API_KEY=${ELASTIC_API_KEY}
- SCAN_INTERVAL=3600 # 1 hour
volumes:
- /:/host-root:ro
- ./scripts:/scripts:ro
command: >
sh -c "
while true; do
echo 'Starting scheduled TYCHON Quantum Readiness execution...'
/opt/certscanner/certscanner -mode local \
-scanfilesystem \
-scanconnected \
-posttoelastic \
-elasticnode \$ELASTIC_URL \
-elasticapikey \$ELASTIC_API_KEY \
-elasticindex 'crypto-assets-docker-$(date +%Y-%m)' \
-tags 'deployment:docker,environment:production'
echo 'Scan completed, sleeping for \$SCAN_INTERVAL seconds...'
sleep \$SCAN_INTERVAL
done
"
restart: unless-stopped
tychon-scanner-network:
image: tychon-acdi:latest
environment:
- ELASTIC_URL=https://elastic.company.com:9200
- ELASTIC_API_KEY=${ELASTIC_API_KEY}
command: >
sh -c "
# Daily network discovery
while true; do
/opt/certscanner/certscanner -arpscan \
-ports 443,22,8443,993,995 \
-posttoelastic \
-elasticnode \$ELASTIC_URL \
-elasticapikey \$ELASTIC_API_KEY \
-elasticindex 'crypto-network-$(date +%Y-%m-%d)' \
-tags 'deployment:docker,scan_type:network'
sleep 86400 # Daily
done
"
network_mode: "host"
restart: unless-stoppedQuery examples for the new data type separation indexes. Replace {suffix} with your actual suffix:
GET tychon-pqc-*-{suffix}/_search
{
"query": {
"bool": {
"must": [
{ "term": { "pqc.vulnerable": true } }
]
}
},
"aggs": {
"by_index": {
"terms": {
"field": "_index",
"size": 20
},
"aggs": {
"by_host": {
"terms": {
"field": "observer.hostname",
"size": 10
}
}
}
},
"asset_types": {
"terms": {
"field": "asset_type",
"size": 10
}
}
},
"sort": [
{ "@timestamp": { "order": "desc" } }
]
}GET tychon-pqc-certificates-{suffix}/_search
{
"query": {
"bool": {
"must": [
{ "exists": { "field": "tls.certificate.not_after" } },
{
"range": {
"tls.certificate.not_after": {
"gte": "now",
"lte": "now+90d"
}
}
}
]
}
},
"aggs": {
"expiring_soon": {
"date_histogram": {
"field": "tls.certificate.not_after",
"calendar_interval": "week",
"format": "yyyy-MM-dd"
},
"aggs": {
"hosts": {
"terms": {
"field": "observer.hostname",
"size": 10
}
}
}
}
},
"sort": [
{ "tls.certificate.not_after": { "order": "asc" } }
]
}GET tychon-pqc-ciphers-{suffix}/_search
{
"query": {
"bool": {
"should": [
{ "wildcard": { "tls.cipher": "*RC4*" } },
{ "wildcard": { "tls.cipher": "*DES*" } },
{ "wildcard": { "tls.server.cipher": "*MD5*" } },
{ "wildcard": { "tls.server.cipher": "*SHA1*" } },
{ "term": { "quantum_ready_cipher": false } }
],
"minimum_should_match": 1
}
},
"aggs": {
"weak_ciphers": {
"terms": {
"field": "tls.server.cipher",
"size": 20
}
},
"protocol_versions": {
"terms": {
"field": "tls.server.protocol_version",
"size": 10
}
},
"affected_hosts": {
"terms": {
"field": "observer.hostname",
"size": 50
}
},
"quantum_readiness": {
"terms": {
"field": "quantum_ready",
"size": 2
}
}
}
}GET tychon-pqc-keystores-{suffix}/_search
{
"query": {
"bool": {
"must": [
{ "term": { "event.action": "keystore_discovered" } }
]
}
},
"aggs": {
"keystore_types": {
"terms": {
"field": "keystore.type",
"size": 10
},
"aggs": {
"total_vulnerable_certs": {
"sum": {
"field": "keystore.stats.vulnerable_certificates"
}
},
"total_pqc_vulnerable_certs": {
"sum": {
"field": "keystore.stats.pqc_vulnerable_certificates"
}
},
"avg_cert_count": {
"avg": {
"field": "keystore.cert_count"
}
}
}
},
"accessibility_issues": {
"filters": {
"filters": {
"not_accessible": { "term": { "keystore.accessible": false } },
"requires_auth": { "term": { "keystore.requires_auth": true } },
"has_errors": { "exists": { "field": "keystore.error_message" } }
}
}
}
}
}GET tychon-pqc-ssh-keys-{suffix}/_search
{
"query": {
"bool": {
"must": [
{ "exists": { "field": "ssh.server.host_key" } }
]
}
},
"aggs": {
"key_types": {
"terms": {
"field": "ssh.server.host_key.type",
"size": 20
},
"aggs": {
"avg_key_size": {
"avg": {
"field": "ssh.server.host_key.bits"
}
},
"quantum_ready_count": {
"filter": {
"term": { "quantum_ready": true }
}
}
}
},
"key_size_distribution": {
"histogram": {
"field": "ssh.server.host_key.bits",
"interval": 512
}
},
"hosts_by_banner": {
"terms": {
"field": "ssh.banner",
"size": 10
}
}
}
}GET tychon-pqc-processes-{suffix}/_search
{
"query": {
"bool": {
"must": [
{ "term": { "event.action": "crypto_library_in_memory" } }
]
}
},
"aggs": {
"library_types": {
"terms": {
"field": "library.name",
"size": 20
},
"aggs": {
"versions": {
"terms": {
"field": "library.version",
"size": 10
}
},
"crypto_types": {
"terms": {
"field": "library.crypto_type",
"size": 5
}
}
}
},
"process_owners": {
"terms": {
"field": "process.name",
"size": 20
}
},
"vulnerable_libraries": {
"filter": {
"term": { "vulnerability.is_vulnerable": true }
},
"aggs": {
"by_library": {
"terms": {
"field": "library.name",
"size": 10
}
}
}
}
}
}{
"version": "8.11.0",
"objects": [
{
"id": "crypto-executive-dashboard",
"type": "dashboard",
"attributes": {
"title": "Executive Crypto Security Dashboard",
"description": "High-level cryptographic security posture overview",
"panelsJSON": "[
{
\"gridData\": {\"x\": 0, \"y\": 0, \"w\": 24, \"h\": 8},
\"panelIndex\": \"1\",
\"embeddableConfig\": {},
\"panelRefName\": \"panel_1\"
},
{
\"gridData\": {\"x\": 24, \"y\": 0, \"w\": 24, \"h\": 8},
\"panelIndex\": \"2\",
\"embeddableConfig\": {},
\"panelRefName\": \"panel_2\"
},
{
\"gridData\": {\"x\": 0, \"y\": 8, \"w\": 48, \"h\": 12},
\"panelIndex\": \"3\",
\"embeddableConfig\": {},
\"panelRefName\": \"panel_3\"
}
]",
"references": [
{
"name": "panel_1",
"type": "visualization",
"id": "crypto-assets-count-metric"
},
{
"name": "panel_2",
"type": "visualization",
"id": "pqc-vulnerability-rate"
},
{
"name": "panel_3",
"type": "visualization",
"id": "crypto-timeline-visualization"
}
]
}
},
{
"id": "crypto-assets-count-metric",
"type": "visualization",
"attributes": {
"title": "Total Crypto Assets Discovered",
"visState": "{
\"title\": \"Total Crypto Assets\",
\"type\": \"metric\",
\"aggs\": [
{
\"id\": \"1\",
\"type\": \"count\",
\"params\": {}
}
]
}",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{
\"index\": \"crypto-assets-*\",
\"query\": {
\"match_all\": {}
}
}"
}
}
},
{
"id": "pqc-vulnerability-rate",
"type": "visualization",
"attributes": {
"title": "PQC Vulnerability Rate",
"visState": "{
\"title\": \"PQC Vulnerability Rate\",
\"type\": \"gauge\",
\"aggs\": [
{
\"id\": \"1\",
\"type\": \"avg\",
\"params\": {
\"field\": \"tychon.pqc_vulnerable\"
}
}
]
}",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{
\"index\": \"crypto-assets-*\",
\"query\": {
\"bool\": {
\"must\": [
{ \"exists\": { \"field\": \"tychon.pqc_vulnerable\" } }
]
}
}
}"
}
}
}
]
}{
"id": "crypto-security-ops-dashboard",
"type": "dashboard",
"attributes": {
"title": "Crypto Security Operations",
"description": "Detailed crypto security monitoring for SOC teams",
"panelsJSON": "[
{
\"gridData\": {\"x\": 0, \"y\": 0, \"w\": 24, \"h\": 12},
\"panelIndex\": \"1\",
\"embeddableConfig\": {
\"title\": \"Crypto Asset Discovery Timeline\"
},
\"panelRefName\": \"panel_timeline\"
},
{
\"gridData\": {\"x\": 24, \"y\": 0, \"w\": 24, \"h\": 12},
\"panelIndex\": \"2\",
\"embeddableConfig\": {
\"title\": \"PQC Vulnerability Heatmap\"
},
\"panelRefName\": \"panel_heatmap\"
},
{
\"gridData\": {\"x\": 0, \"y\": 12, \"w\": 48, \"h\": 16},
\"panelIndex\": \"3\",
\"embeddableConfig\": {
\"title\": \"Crypto Asset Details\"
},
\"panelRefName\": \"panel_table\"
}
]",
"references": [
{
"name": "panel_timeline",
"type": "lens",
"id": "crypto-discovery-timeline"
},
{
"name": "panel_heatmap",
"type": "lens",
"id": "pqc-vulnerability-heatmap"
},
{
"name": "panel_table",
"type": "lens",
"id": "crypto-asset-details-table"
}
]
}
}PUT _watcher/watch/pqc-vulnerability-alert
{
"metadata": {
"name": "PQC Vulnerability Detection",
"description": "Alert when PQC-vulnerable crypto assets are discovered"
},
"trigger": {
"schedule": {
"interval": "15m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": ["crypto-assets-*"],
"body": {
"query": {
"bool": {
"must": [
{ "term": { "tychon.pqc_vulnerable": true } },
{
"range": {
"@timestamp": {
"gte": "now-15m"
}
}
}
]
}
},
"aggs": {
"vulnerable_by_host": {
"terms": {
"field": "host.hostname",
"size": 20
}
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total.value": {
"gt": 0
}
}
},
"actions": {
"send_slack_alert": {
"slack": {
"message": {
"to": ["#security-alerts"],
"text": "🚨 PQC Vulnerability Alert: {{ctx.payload.hits.total.value}} new PQC-vulnerable crypto assets detected across {{ctx.payload.aggregations.vulnerable_by_host.buckets.length}} hosts"
}
}
},
"create_ticket": {
"webhook": {
"scheme": "https",
"host": "api.company.com",
"port": 443,
"method": "post",
"path": "/security/tickets",
"params": {},
"headers": {
"Content-Type": "application/json",
"Authorization": "Bearer {{ctx.metadata.api_token}}"
},
"body": "{
\"title\": \"PQC Vulnerability Alert\",
\"description\": \"{{ctx.payload.hits.total.value}} PQC-vulnerable crypto assets detected\",
\"priority\": \"high\",
\"category\": \"cryptographic_security\"
}"
}
}
}
}PUT _watcher/watch/certificate-expiration-alert
{
"metadata": {
"name": "Certificate Expiration Alert",
"description": "Alert on certificates expiring within 30 days"
},
"trigger": {
"schedule": {
"daily": {
"at": ["09:00"]
}
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": ["crypto-assets-*"],
"body": {
"query": {
"bool": {
"must": [
{ "exists": { "field": "tls.certificate.not_after" } },
{
"range": {
"tls.certificate.not_after": {
"gte": "now",
"lte": "now+30d"
}
}
}
]
}
},
"aggs": {
"expiring_by_week": {
"date_histogram": {
"field": "tls.certificate.not_after",
"calendar_interval": "week"
},
"aggs": {
"certificates": {
"terms": {
"field": "tls.certificate.subject.common_name",
"size": 100
}
}
}
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total.value": {
"gt": 0
}
}
},
"actions": {
"send_email_report": {
"email": {
"to": ["security-team@company.com"],
"subject": "Certificate Expiration Report - {{ctx.payload.hits.total.value}} Certificates Expiring",
"body": {
"html": "
Certificate Expiration Report
{{ctx.payload.hits.total.value}} certificates are expiring within the next 30 days.
Expiration Timeline:
{{#ctx.payload.aggregations.expiring_by_week.buckets}}
- {{key_as_string}}: {{doc_count}} certificates
{{/ctx.payload.aggregations.expiring_by_week.buckets}}
Please review and plan certificate renewals accordingly.
"
}
}
}
}
}PUT _watcher/watch/scan-failure-detection
{
"metadata": {
"name": "TYCHON Quantum Readiness Execution Monitoring",
"description": "Detect when TYCHON Quantum Readiness fails to report data"
},
"trigger": {
"schedule": {
"interval": "30m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": ["crypto-assets-*"],
"body": {
"query": {
"bool": {
"must": [
{
"range": {
"@timestamp": {
"gte": "now-2h"
}
}
}
]
}
},
"aggs": {
"hosts_reporting": {
"terms": {
"field": "host.hostname",
"size": 1000
}
}
}
}
}
}
},
"condition": {
"script": {
"source": "
def expected_hosts = ['server1', 'server2', 'server3']; // Define expected hosts
def reporting_hosts = ctx.payload.aggregations.hosts_reporting.buckets.stream()
.map(bucket -> bucket.key).collect(Collectors.toList());
def missing_hosts = expected_hosts.stream()
.filter(host -> !reporting_hosts.contains(host))
.collect(Collectors.toList());
return missing_hosts.size() > 0;
"
}
},
"actions": {
"alert_missing_hosts": {
"logging": {
"level": "warn",
"text": "TYCHON Quantum Readiness data missing from expected hosts. Check scanner deployment and execution."
}
}
}
}PUT _watcher/watch/quantum-readiness-degradation
{
"metadata": {
"name": "Quantum Readiness Score Degradation",
"description": "Alert when quantum readiness scores drop below acceptable thresholds"
},
"trigger": {
"schedule": {
"interval": "1h"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": ["crypto-assets-*"],
"body": {
"query": {
"bool": {
"must": [
{ "exists": { "field": "quantum_readiness.total_score" } },
{
"range": {
"@timestamp": {
"gte": "now-1h"
}
}
},
{
"range": {
"quantum_readiness.total_score": {
"lt": 60
}
}
}
]
}
},
"aggs": {
"low_score_systems": {
"terms": {
"field": "host.hostname",
"size": 20
},
"aggs": {
"avg_score": {
"avg": {
"field": "quantum_readiness.total_score"
}
},
"system_type": {
"terms": {
"field": "quantum_readiness.system_classification"
}
}
}
},
"critical_failures": {
"filter": {
"exists": {
"field": "quantum_readiness.critical_failures"
}
},
"aggs": {
"failure_hosts": {
"terms": {
"field": "host.hostname"
}
}
}
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total.value": {
"gt": 0
}
}
},
"actions": {
"send_quantum_alert": {
"slack": {
"message": {
"to": ["#security-alerts"],
"text": "⚠️ Quantum Readiness Alert: {{ctx.payload.hits.total.value}} systems with quantum readiness scores below 60. {{ctx.payload.aggregations.low_score_systems.buckets.length}} unique hosts affected."
}
}
},
"create_quantum_ticket": {
"webhook": {
"scheme": "https",
"host": "api.company.com",
"port": 443,
"method": "post",
"path": "/security/tickets",
"headers": {
"Content-Type": "application/json",
"Authorization": "Bearer {{ctx.metadata.api_token}}"
},
"body": "{
\"title\": \"Quantum Readiness Score Degradation\",
\"description\": \"{{ctx.payload.hits.total.value}} systems below quantum readiness threshold\",
\"priority\": \"medium\",
\"category\": \"quantum_readiness\"
}"
}
}
}
}Expanded scanning capabilities (VPN clients, IPSec configs, quantum readiness, enhanced crypto analysis) significantly increase data volume and complexity across all data types. Plan cluster expansion accordingly.
Upsert Strategy: Each endpoint gets one document that's updated with latest state (90% less storage).
Historical Strategy: Every scan creates a new timestamped document (enables trend analysis but 10x+ storage growth).
| Data Type | Per Host |
|---|---|
| Certificates | 50-200 KB |
| Crypto Libraries | 100-500 KB |
| VPN Clients | 50-300 KB |
| IPSec Configs | 25-150 KB |
| Quantum Readiness | 10-50 KB |
| Total per Host | 235 KB - 1.2 MB |
1000 hosts = 235 MB - 1.2 GB total
| Scan Frequency | Daily Volume |
|---|---|
| Every 4 hours | 6x per day |
| Every 1 hour | 24x per day |
| Continuous (30min) | 48x per day |
| 1000 hosts (4hr) | 1.4 GB - 7.2 GB/day |
| 1000 hosts (1hr) | 5.6 GB - 28.8 GB/day |
Monthly: 42 GB - 864 GB (4hr scans)
| Strategy | Pros | Cons | Best For |
|---|---|---|---|
| Upsert Current State |
• 90% less storage • Fast queries • Simple architecture • Lower costs |
• No historical trends • Can't track changes • Limited compliance • No forensics |
• Current state dashboards • Real-time monitoring • Cost-sensitive deployments |
| Historical Time-Series |
• Full change tracking • Trend analysis • Compliance auditing • Forensic capability |
• 10x+ storage growth • Complex queries • Higher costs • More maintenance |
• Compliance environments • Security analytics • Change management |
| Hybrid Approach |
• Current + history • Flexible retention • Cost optimization • Best of both |
• Complex architecture • Dual maintenance • Query complexity • Setup overhead |
• Enterprise deployments • Mixed requirements • Phased implementations |
crypto-current-statecrypto-history-YYYY-MM# Before VPN/IPSec scanning (1000 endpoints)
Monthly Cost: $2,500-4,000
- Instance costs: $1,800 (m6g.large.search x 6)
- Storage costs: $400 (2TB)
- Data transfer: $300
# After VPN/IPSec scanning (1000 endpoints)
Monthly Cost: $7,500-12,000 (+200-300%)
- Instance costs: $5,400 (m6g.xlarge.search x 9)
- Storage costs: $1,200 (6TB)
- Data transfer: $900# Before VPN/IPSec scanning (1000 endpoints)
Monthly Cost: $2,200-3,800
- Compute: $1,600 (Standard_D4s_v3 x 5)
- Storage: $350 (2TB Premium SSD)
- Bandwidth: $250
# After VPN/IPSec scanning (1000 endpoints)
Monthly Cost: $6,600-11,400 (+200-300%)
- Compute: $4,800 (Standard_D8s_v3 x 6)
- Storage: $1,050 (6TB Premium SSD)
- Bandwidth: $750# Current state index template (upsert pattern)
PUT _index_template/tychon-current-state
{
"index_patterns": ["crypto-current-state"],
"template": {
"settings": {
"number_of_shards": 1,
"number_of_replicas": 1,
"index.refresh_interval": "5s",
"index.mapping.total_fields.limit": 5000,
"index.max_result_window": 50000
},
"mappings": {
"properties": {
"host_id": { "type": "keyword" },
"last_updated": { "type": "date" },
"scan_version": { "type": "keyword" },
"certificates": {
"type": "nested",
"properties": {
"fingerprint_sha256": { "type": "keyword" },
"subject_cn": { "type": "keyword" },
"issuer_cn": { "type": "keyword" },
"not_after": { "type": "date" },
"pqc_vulnerable": { "type": "boolean" },
"source_type": { "type": "keyword" },
"file_path": { "type": "keyword" }
}
},
"crypto_libraries": {
"type": "nested",
"properties": {
"name": { "type": "keyword" },
"version": { "type": "keyword" },
"path": { "type": "keyword" },
"process_name": { "type": "keyword" },
"algorithms": { "type": "keyword" },
"pqc_ready": { "type": "boolean" }
}
},
"vpn_clients": {
"type": "nested",
"properties": {
"vendor": { "type": "keyword" },
"product": { "type": "keyword" },
"version": { "type": "keyword" },
"config_paths": { "type": "keyword" },
"tunnel_protocols": { "type": "keyword" },
"pqc_vulnerable": { "type": "boolean" }
}
},
"ipsec_policies": {
"type": "nested",
"properties": {
"policy_name": { "type": "keyword" },
"encryption_algorithms": { "type": "keyword" },
"hash_algorithms": { "type": "keyword" },
"dh_groups": { "type": "keyword" },
"pqc_vulnerable": { "type": "boolean" }
}
},
"quantum_readiness": {
"properties": {
"total_score": { "type": "integer" },
"percentage": { "type": "float" },
"classification": { "type": "keyword" },
"last_assessment": { "type": "date" },
"critical_issues": { "type": "text" }
}
}
}
}
}
}# Time-series index template (historical pattern)
PUT _index_template/tychon-historical
{
"index_patterns": ["crypto-history-*"],
"template": {
"settings": {
"number_of_shards": 3,
"number_of_replicas": 1,
"index.refresh_interval": "30s",
"index.lifecycle.name": "tychon-historical-policy",
"index.mapping.total_fields.limit": 3000,
"index.routing.allocation.require.data": "hot"
},
"mappings": {
"properties": {
"@timestamp": { "type": "date" },
"scan_id": { "type": "keyword" },
"host_id": { "type": "keyword" },
"scan_type": { "type": "keyword" },
"event_type": { "type": "keyword" },
"data_source": { "type": "keyword" },
"host_info": {
"properties": {
"hostname": { "type": "keyword" },
"ip_address": { "type": "ip" },
"os_family": { "type": "keyword" },
"os_version": { "type": "keyword" },
"architecture": { "type": "keyword" }
}
},
"crypto_asset": {
"properties": {
"asset_type": { "type": "keyword" },
"asset_id": { "type": "keyword" },
"name": { "type": "keyword" },
"version": { "type": "keyword" },
"file_path": { "type": "keyword" },
"fingerprint": { "type": "keyword" },
"algorithms": { "type": "keyword" },
"key_sizes": { "type": "integer" },
"pqc_vulnerable": { "type": "boolean" },
"security_level": { "type": "keyword" },
"expiration_date": { "type": "date" }
}
},
"change_info": {
"properties": {
"change_type": { "type": "keyword" },
"previous_value": { "type": "text" },
"current_value": { "type": "text" },
"change_timestamp": { "type": "date" }
}
}
}
}
}
}# ILM for current state (upsert pattern)
PUT _ilm/policy/tychon-current-state-policy
{
"policy": {
"phases": {
"hot": {
"min_age": "0ms",
"actions": {
"set_priority": {
"priority": 100
}
}
}
}
}
}# ILM for historical data (time-series pattern)
PUT _ilm/policy/tychon-historical-policy
{
"policy": {
"phases": {
"hot": {
"min_age": "0ms",
"actions": {
"rollover": {
"max_size": "2GB",
"max_age": "7d",
"max_docs": 100000
},
"set_priority": {
"priority": 100
}
}
},
"warm": {
"min_age": "7d",
"actions": {
"set_priority": {
"priority": 50
},
"allocate": {
"number_of_replicas": 0,
"require": {
"data": "warm"
}
},
"forcemerge": {
"max_num_segments": 1
}
}
},
"cold": {
"min_age": "30d",
"actions": {
"set_priority": {
"priority": 0
},
"allocate": {
"require": {
"data": "cold"
}
}
}
},
"delete": {
"min_age": "90d",
"actions": {
"delete": {}
}
}
}
}
}# Configure TYCHON for upsert pattern
./certscanner -mode local \
-scanfilesystem -scanmemory -scanconnected \
-posttoelastic \
-elasticnode "https://elastic.company.com:9200" \
-elasticapikey "your-key" \
-elasticindex "crypto-current-state" \
-upsert true \
-hostid-field "host_id"
# Each scan updates the same document per host# Configure TYCHON for time-series pattern
./certscanner -mode local \
-scanfilesystem -scanmemory -scanconnected \
-posttoelastic \
-elasticnode "https://elastic.company.com:9200" \
-elasticapikey "your-key" \
-elasticindex "crypto-history-$(date +%Y-%m)" \
-include-timestamp true \
-generate-scan-id true
# Each scan creates new timestamped documentsVPN client detection and IPSec configuration analysis introduce new field types and structures that require careful mapping design for optimal search performance.
# Complete mapping template for VPN/IPSec enhanced scanning
PUT _index_template/tychon-comprehensive-mapping
{
"index_patterns": ["crypto-assets-*", "vpn-detection-*", "ipsec-analysis-*"],
"template": {
"mappings": {
"properties": {
"@timestamp": { "type": "date" },
"event": {
"properties": {
"category": { "type": "keyword" },
"type": { "type": "keyword" },
"outcome": { "type": "keyword" },
"dataset": { "type": "keyword" }
}
},
"host": {
"properties": {
"hostname": { "type": "keyword" },
"ip": { "type": "ip" },
"mac": { "type": "keyword" },
"os": {
"properties": {
"family": { "type": "keyword" },
"platform": { "type": "keyword" },
"version": { "type": "keyword" },
"build": { "type": "keyword" }
}
},
"architecture": { "type": "keyword" }
}
},
"vpn_clients": {
"type": "nested",
"properties": {
"client_type": { "type": "keyword" },
"vendor": { "type": "keyword" },
"product_name": { "type": "keyword" },
"version": { "type": "keyword" },
"installation_path": { "type": "keyword" },
"configuration_files": {
"type": "nested",
"properties": {
"path": { "type": "keyword" },
"size_bytes": { "type": "long" },
"last_modified": { "type": "date" },
"contains_credentials": { "type": "boolean" }
}
},
"tunnel_protocols": {
"type": "nested",
"properties": {
"protocol": { "type": "keyword" },
"encryption_algorithm": { "type": "keyword" },
"key_size": { "type": "integer" },
"hash_algorithm": { "type": "keyword" },
"pqc_vulnerable": { "type": "boolean" }
}
},
"authentication_methods": { "type": "keyword" },
"running_processes": {
"type": "nested",
"properties": {
"process_name": { "type": "keyword" },
"pid": { "type": "long" },
"command_line": { "type": "text" },
"memory_usage_mb": { "type": "long" }
}
},
"network_interfaces": {
"type": "nested",
"properties": {
"interface_name": { "type": "keyword" },
"interface_type": { "type": "keyword" },
"ip_address": { "type": "ip" },
"subnet_mask": { "type": "keyword" },
"gateway": { "type": "ip" }
}
},
"security_assessment": {
"properties": {
"security_score": { "type": "integer" },
"risk_level": { "type": "keyword" },
"pqc_vulnerable": { "type": "boolean" },
"pqc_support": { "type": "boolean" },
"vulnerable": { "type": "boolean" },
"weak_crypto": { "type": "boolean" },
"known_vulnerabilities": { "type": "keyword" },
"last_assessed": { "type": "date" }
}
},
"configuration_security": {
"properties": {
"authentication_method": { "type": "keyword" },
"dns_leak_protection": { "type": "boolean" },
"kill_switch": { "type": "boolean" },
"split_tunneling": { "type": "boolean" },
"ipv6_leak_protection": { "type": "boolean" },
"auto_reconnect": { "type": "boolean" },
"logging_enabled": { "type": "boolean" },
"config_encrypted": { "type": "boolean" }
}
}
}
},
"ipsec_configurations": {
"type": "nested",
"properties": {
"policy_name": { "type": "keyword" },
"policy_type": { "type": "keyword" },
"local_address": { "type": "ip" },
"remote_address": { "type": "ip" },
"phase1_settings": {
"properties": {
"encryption_algorithm": { "type": "keyword" },
"hash_algorithm": { "type": "keyword" },
"dh_group": { "type": "keyword" },
"lifetime_seconds": { "type": "long" },
"pqc_vulnerable": { "type": "boolean" }
}
},
"phase2_settings": {
"properties": {
"encryption_algorithm": { "type": "keyword" },
"hash_algorithm": { "type": "keyword" },
"pfs_group": { "type": "keyword" },
"lifetime_seconds": { "type": "long" },
"pqc_vulnerable": { "type": "boolean" }
}
},
"tunnel_mode": { "type": "keyword" },
"authentication_method": { "type": "keyword" },
"certificate_info": {
"properties": {
"subject": { "type": "keyword" },
"issuer": { "type": "keyword" },
"serial_number": { "type": "keyword" },
"not_before": { "type": "date" },
"not_after": { "type": "date" },
"fingerprint_sha256": { "type": "keyword" }
}
},
"security_assessment": {
"properties": {
"security_score": { "type": "integer" },
"risk_level": { "type": "keyword" },
"pqc_vulnerable": { "type": "boolean" },
"pqc_support": { "type": "boolean" },
"vulnerable": { "type": "boolean" },
"weak_crypto": { "type": "boolean" },
"known_vulnerabilities": { "type": "keyword" },
"last_assessed": { "type": "date" }
}
}
}
},
"quantum_readiness": {
"properties": {
"total_score": { "type": "integer" },
"max_score": { "type": "integer" },
"percentage": { "type": "float" },
"system_classification": { "type": "keyword" },
"vpn_assessment": {
"properties": {
"score": { "type": "integer" },
"max_score": { "type": "integer" },
"vulnerable_clients": { "type": "integer" },
"total_clients": { "type": "integer" },
"critical_issues": { "type": "text" }
}
},
"ipsec_assessment": {
"properties": {
"score": { "type": "integer" },
"max_score": { "type": "integer" },
"vulnerable_policies": { "type": "integer" },
"total_policies": { "type": "integer" },
"weak_algorithms": { "type": "keyword" }
}
}
}
}
}
}
}
}# Optimize Elasticsearch for TYCHON Quantum Readiness bulk operations
PUT _cluster/settings
{
"persistent": {
"indices.memory.index_buffer_size": "20%",
"indices.memory.min_index_buffer_size": "96mb",
"thread_pool.bulk.queue_size": 1000,
"thread_pool.bulk.size": 8
}
}#!/bin/bash
# Elasticsearch index optimization for TYCHON Quantum Readiness data
ELASTIC_URL="https://elastic.company.com:9200"
ELASTIC_API_KEY="your-api-key"
# Force merge old indices (older than 7 days)
for index in $(curl -s -H "Authorization: ApiKey $ELASTIC_API_KEY" \
"$ELASTIC_URL/_cat/indices/crypto-assets-*?h=index,creation.date.string" | \
awk '$2 < "'$(date -d '7 days ago' '+%Y-%m-%dT%H:%M:%S.%3NZ')'" {print $1}'); do
echo "🔧 Force merging index: $index"
curl -X POST "$ELASTIC_URL/$index/_forcemerge?max_num_segments=1" \
-H "Authorization: ApiKey $ELASTIC_API_KEY"
done
# Refresh indices for real-time searching
curl -X POST "$ELASTIC_URL/crypto-assets-*/_refresh" \
-H "Authorization: ApiKey $ELASTIC_API_KEY"
echo "✅ Index optimization completed"# Create optimized search templates for common TYCHON Quantum Readiness queries
PUT _scripts/crypto-pqc-vulnerability-search
{
"script": {
"lang": "mustache",
"source": {
"query": {
"bool": {
"must": [
{ "term": { "tychon.pqc_vulnerable": true } },
{
"range": {
"@timestamp": {
"gte": "{{from_date|now-7d}}",
"lte": "{{to_date|now}}"
}
}
}
],
"filter": [
{ "terms": { "host.hostname": "{{hosts|split:','}}" } }
]
}
},
"aggs": {
"vulnerability_summary": {
"terms": {
"field": "tychon.type",
"size": 10
},
"aggs": {
"hosts": {
"terms": {
"field": "host.hostname",
"size": 20
}
}
}
}
}
}
}
}
# Usage example
GET crypto-assets-*/_search/template
{
"id": "crypto-pqc-vulnerability-search",
"params": {
"hosts": "server1,server2,server3",
"from_date": "now-24h"
}
}#!/bin/bash
# Elasticsearch health check for TYCHON Quantum Readiness integration
ELASTIC_URL="${ELASTIC_URL:-https://elastic.company.com:9200}"
ELASTIC_API_KEY="${ELASTIC_API_KEY}"
echo "🔍 Checking Elasticsearch cluster health..."
# Cluster health
HEALTH=$(curl -s -H "Authorization: ApiKey $ELASTIC_API_KEY" \
"$ELASTIC_URL/_cluster/health" | jq -r '.status')
echo "Cluster Health: $HEALTH"
# Index statistics for TYCHON Quantum Readiness indices
echo "📊 TYCHON Quantum Readiness Index Statistics:"
curl -s -H "Authorization: ApiKey $ELASTIC_API_KEY" \
"$ELASTIC_URL/_cat/indices/crypto-assets-*,certscanner-*?v&h=index,docs.count,store.size,creation.date.string&s=creation.date.string:desc"
# Recent indexing rate
echo "📈 Recent Indexing Activity:"
curl -s -H "Authorization: ApiKey $ELASTIC_API_KEY" \
"$ELASTIC_URL/crypto-assets-*/_search" \
-H "Content-Type: application/json" \
-d '{
"size": 0,
"aggs": {
"indexing_rate": {
"date_histogram": {
"field": "@timestamp",
"calendar_interval": "hour",
"format": "yyyy-MM-dd HH:mm"
}
}
},
"query": {
"range": {
"@timestamp": {
"gte": "now-24h"
}
}
}
}' | jq '.aggregations.indexing_rate.buckets[] | {time: .key_as_string, documents: .doc_count}'
# Check for indexing errors
echo "⚠️ Recent Indexing Errors:"
curl -s -H "Authorization: ApiKey $ELASTIC_API_KEY" \
"$ELASTIC_URL/_cat/nodes?v&h=name,indexing.index_failed"#!/bin/bash
# Validate TYCHON Quantum Readiness data quality in Elasticsearch
ELASTIC_URL="${ELASTIC_URL:-https://elastic.company.com:9200}"
ELASTIC_API_KEY="${ELASTIC_API_KEY}"
echo "🔎 Validating TYCHON Quantum Readiness data quality..."
# Check for missing required fields
echo "Missing Required Fields:"
curl -s -H "Authorization: ApiKey $ELASTIC_API_KEY" \
"$ELASTIC_URL/crypto-assets-*/_search" \
-H "Content-Type: application/json" \
-d '{
"size": 0,
"aggs": {
"missing_timestamp": {
"missing": { "field": "@timestamp" }
},
"missing_host": {
"missing": { "field": "host.hostname" }
},
"missing_tychon_type": {
"missing": { "field": "tychon.type" }
}
}
}' | jq '.aggregations | to_entries[] | {field: .key, missing_count: .value.doc_count}'
# Validate data freshness
echo "Data Freshness Check:"
curl -s -H "Authorization: ApiKey $ELASTIC_API_KEY" \
"$ELASTIC_URL/crypto-assets-*/_search" \
-H "Content-Type: application/json" \
-d '{
"size": 0,
"aggs": {
"data_age": {
"date_histogram": {
"field": "@timestamp",
"calendar_interval": "day",
"format": "yyyy-MM-dd"
}
}
},
"query": {
"range": {
"@timestamp": {
"gte": "now-7d"
}
}
}
}' | jq '.aggregations.data_age.buckets[] | {date: .key_as_string, document_count: .doc_count}'Deploy Elasticsearch cluster with appropriate sizing for crypto asset data
Create index templates and ILM policies for TYCHON Quantum Readiness data structure
Use built-in -posttoelastic switches for direct data ingestion
Build visualizations and dashboards for crypto security monitoring
Set up Elasticsearch Watchers for automated crypto security alerts
# PCI-DSS crypto compliance scan (Windows)
.\certscanner-windows-amd64.exe -mode local `
-scanfilesystem -scanconnected `
-posttoelastic `
-elasticnode "https://elastic.company.com:9200" `
-elasticapikey "your-key" `
-elasticindex "pci-compliance-$(Get-Date -Format 'yyyy-MM')" `
-tags "compliance:pci-dss,environment:production"# Emergency crypto asset discovery (Windows)
.\certscanner-windows-amd64.exe -host compromised-server.com `
-ports 443,22,25,993,995,465 `
-cipherscan `
-posttoelastic `
-elasticnode "https://elastic.company.com:9200" `
-elasticapikey "your-key" `
-elasticindex "incident-crypto-$(Get-Date -Format 'yyyyMMdd')" `
-tags "incident:IR-2024-001,priority:critical"# Comprehensive vulnerability scan (Windows)
.\certscanner-windows-amd64.exe -cidr 10.0.0.0/8 `
-ports 443,8443,9443 `
-cipherscan -cipherintelcloud `
-posttoelastic `
-elasticnode "https://elastic.company.com:9200" `
-elasticapikey "your-key" `
-elasticindex "vulnerability-assessment" `
-tags "assessment:quarterly,scope:internal"# Continuous monitoring setup (Windows)
.\certscanner-windows-amd64.exe -mode local `
-scanfilesystem -scanmemory `
-scanconnected -scanoutlookarchives `
-posttoelastic `
-elasticnode "https://elastic.company.com:9200" `
-elasticapikey "your-key" `
-elasticindex "crypto-monitoring-$env:COMPUTERNAME-$(Get-Date -Format 'yyyy-MM')" `
-tags "monitoring:continuous,host:$env:COMPUTERNAME"# PCI-DSS crypto compliance scan (Linux)
./certscanner-linux-x64 -mode local \
-scanfilesystem -scanconnected \
-posttoelastic \
-elasticnode "https://elastic.company.com:9200" \
-elasticapikey "your-key" \
-elasticindex "pci-compliance-$(date +%Y-%m)" \
-tags "compliance:pci-dss,environment:production"# Emergency crypto asset discovery (Linux)
./certscanner-linux-x64 -host compromised-server.com \
-ports 443,22,25,993,995,465 \
-cipherscan \
-posttoelastic \
-elasticnode "https://elastic.company.com:9200" \
-elasticapikey "your-key" \
-elasticindex "incident-crypto-$(date +%Y%m%d)" \
-tags "incident:IR-2024-001,priority:critical"# Comprehensive vulnerability scan (Linux)
./certscanner-linux-x64 -cidr 10.0.0.0/8 \
-ports 443,8443,9443 \
-cipherscan -cipherintelcloud \
-posttoelastic \
-elasticnode "https://elastic.company.com:9200" \
-elasticapikey "your-key" \
-elasticindex "vulnerability-assessment" \
-tags "assessment:quarterly,scope:internal"# Continuous monitoring setup (Linux)
./certscanner-linux-x64 -mode local \
-scanfilesystem -scanmemory \
-scanconnected -scanoutlookarchives \
-posttoelastic \
-elasticnode "https://elastic.company.com:9200" \
-elasticapikey "your-key" \
-elasticindex "crypto-monitoring-$(hostname)-$(date +%Y-%m)" \
-tags "monitoring:continuous,host:$(hostname)"# PCI-DSS crypto compliance scan (macOS)
# For Intel Macs:
./certscanner-darwin-amd64 -mode local \
-scanfilesystem -scanconnected \
-posttoelastic \
-elasticnode "https://elastic.company.com:9200" \
-elasticapikey "your-key" \
-elasticindex "pci-compliance-$(date +%Y-%m)" \
-tags "compliance:pci-dss,environment:production"
# For Apple Silicon Macs:
./certscanner-darwin-arm64 -mode local \
-scanfilesystem -scanconnected \
-posttoelastic \
-elasticnode "https://elastic.company.com:9200" \
-elasticapikey "your-key" \
-elasticindex "pci-compliance-$(date +%Y-%m)" \
-tags "compliance:pci-dss,environment:production"# Emergency crypto asset discovery (macOS)
# For Intel Macs:
./certscanner-darwin-amd64 -host compromised-server.com \
-ports 443,22,25,993,995,465 \
-cipherscan \
-posttoelastic \
-elasticnode "https://elastic.company.com:9200" \
-elasticapikey "your-key" \
-elasticindex "incident-crypto-$(date +%Y%m%d)" \
-tags "incident:IR-2024-001,priority:critical"
# For Apple Silicon Macs:
./certscanner-darwin-arm64 -host compromised-server.com \
-ports 443,22,25,993,995,465 \
-cipherscan \
-posttoelastic \
-elasticnode "https://elastic.company.com:9200" \
-elasticapikey "your-key" \
-elasticindex "incident-crypto-$(date +%Y%m%d)" \
-tags "incident:IR-2024-001,priority:critical"# Comprehensive vulnerability scan (macOS)
# For Intel Macs:
./certscanner-darwin-amd64 -cidr 10.0.0.0/8 \
-ports 443,8443,9443 \
-cipherscan -cipherintelcloud \
-posttoelastic \
-elasticnode "https://elastic.company.com:9200" \
-elasticapikey "your-key" \
-elasticindex "vulnerability-assessment" \
-tags "assessment:quarterly,scope:internal"
# For Apple Silicon Macs:
./certscanner-darwin-arm64 -cidr 10.0.0.0/8 \
-ports 443,8443,9443 \
-cipherscan -cipherintelcloud \
-posttoelastic \
-elasticnode "https://elastic.company.com:9200" \
-elasticapikey "your-key" \
-elasticindex "vulnerability-assessment" \
-tags "assessment:quarterly,scope:internal"# Continuous monitoring setup (macOS)
# For Intel Macs:
./certscanner-darwin-amd64 -mode local \
-scanfilesystem -scanconnected -scanoutlookarchives \
-posttoelastic \
-elasticnode "https://elastic.company.com:9200" \
-elasticapikey "your-key" \
-elasticindex "crypto-monitoring-$(hostname)-$(date +%Y-%m)" \
-tags "monitoring:continuous,host:$(hostname)"
# For Apple Silicon Macs:
./certscanner-darwin-arm64 -mode local \
-scanfilesystem -scanconnected -scanoutlookarchives \
-posttoelastic \
-elasticnode "https://elastic.company.com:9200" \
-elasticapikey "your-key" \
-elasticindex "crypto-monitoring-$(hostname)-$(date +%Y-%m)" \
-tags "monitoring:continuous,host:$(hostname)"
# Note: -scanmemory is not available on macOSComplete field reference for all TYCHON data types and indexes
TYCHON implements a data type separation strategy for enterprise-scale Elasticsearch deployments. This creates specialized indexes for different data types, enabling optimal performance and granular access control.
The scanner creates the following index types based on scan results:
tychon-pqc-ciphers-{suffix} - TLS cipher suites and cryptographic configurationstychon-pqc-keystores-{suffix} - Certificate stores and keystore analysistychon-pqc-ssh-keys-{suffix} - SSH host keys and server fingerprintstychon-pqc-processes-{suffix} - Running processes with cryptographic librariestychon-pqc-crypto-libraries-{suffix} - Loaded cryptographic libraries and dependenciestychon-pqc-certificates-{suffix} - X.509 certificates and PKI analysistychon-pqc-vpn-clients-{suffix} - VPN client software and configurationstychon-pqc-ipsec-tunnels-{suffix} - IPSec tunnel configurations and security associationstychon-pqc-assets-{suffix} - Mixed/general asset data and fallback categories{
"@timestamp": { "type": "date" },
"agent": {
"name": { "type": "keyword" },
"version": { "type": "keyword" }
},
"host": {
"name": { "type": "keyword" },
"os": {
"family": { "type": "keyword" },
"name": { "type": "keyword" },
"version": { "type": "keyword" },
"platform": { "type": "keyword" }
},
"architecture": { "type": "keyword" },
"ip": { "type": "ip" }
},
"network": {
"transport": { "type": "keyword" }
},
"destination": {
"address": { "type": "keyword" },
"ip": { "type": "ip" },
"port": { "type": "integer" }
},
"source": {
"address": { "type": "keyword" },
"ip": { "type": "ip" },
"port": { "type": "integer" }
}
}{
"tychon": {
"pqc_vulnerable": { "type": "boolean" },
"security_level": { "type": "keyword" },
"type": { "type": "keyword" },
"risk_score": { "type": "float" },
"recommendations": { "type": "text" }
},
"scan_id": { "type": "keyword" },
"scan_type": { "type": "keyword" },
"scan_timestamp": { "type": "date" },
"quantum_ready": { "type": "boolean" },
"quantum_ready_kx": { "type": "boolean" },
"quantum_ready_cipher": { "type": "boolean" },
"quantum_ready_cert": { "type": "boolean" }
}{
"tls": {
"version": { "type": "keyword" },
"version_protocol": { "type": "keyword" },
"cipher": { "type": "keyword" },
"curve": { "type": "keyword" },
"established": { "type": "boolean" },
"next_protocol": { "type": "keyword" },
"certificate": {
"subject": {
"common_name": { "type": "keyword" },
"organization": { "type": "keyword" },
"organizational_unit": { "type": "keyword" },
"country": { "type": "keyword" }
},
"issuer": {
"common_name": { "type": "keyword" },
"organization": { "type": "keyword" },
"country": { "type": "keyword" }
},
"not_before": { "type": "date" },
"not_after": { "type": "date" },
"fingerprint_sha256": { "type": "keyword" },
"fingerprint_sha1": { "type": "keyword" },
"serial_number": { "type": "keyword" },
"signature_algorithm": { "type": "keyword" },
"public_key_algorithm": { "type": "keyword" },
"public_key_size": { "type": "integer" }
}
},
"cipher_suite": { "type": "keyword" },
"key_exchange": { "type": "keyword" },
"authentication": { "type": "keyword" },
"encryption": { "type": "keyword" },
"mac": { "type": "keyword" }
}{
"keystore": {
"path": { "type": "keyword" },
"type": { "type": "keyword" },
"certificate_count": { "type": "integer" },
"private_key_count": { "type": "integer" },
"stats": {
"vulnerable_certificates": { "type": "integer" },
"pqc_vulnerable_certificates": { "type": "integer" },
"expired_certificates": { "type": "integer" },
"expiring_soon_certificates": { "type": "integer" },
"certificate_types": {
"ca": { "type": "long" },
"end_entity": { "type": "long" }
},
"key_algorithms": {
"type": "object",
"dynamic": true,
"RSA": { "type": "integer" },
"ECDSA": { "type": "integer" },
"DSA": { "type": "integer" },
"Ed25519": { "type": "integer" },
"ECDH": { "type": "integer" }
}
},
"certificates": [{
"alias": { "type": "keyword" },
"certificate_type": { "type": "keyword" },
"certificate_type_ca": { "type": "long" },
"certificate_type_end_entity": { "type": "long" },
"subject_dn": { "type": "keyword" },
"issuer_dn": { "type": "keyword" },
"serial_number": { "type": "keyword" },
"not_before": { "type": "date" },
"not_after": { "type": "date" },
"signature_algorithm": { "type": "keyword" },
"public_key_algorithm": { "type": "keyword" },
"public_key_size": { "type": "integer" },
"fingerprint_sha256": { "type": "keyword" }
}]
}
}{
"ssh": {
"host_key": {
"algorithm": { "type": "keyword" },
"fingerprint": { "type": "keyword" },
"length": { "type": "integer" }
},
"server": {
"version": { "type": "keyword" },
"banner": { "type": "text" }
}
},
"service": {
"name": { "type": "keyword" },
"version": { "type": "keyword" }
}
}{
"process": {
"pid": { "type": "integer" },
"name": { "type": "keyword" },
"executable": { "type": "keyword" },
"command_line": { "type": "text" },
"start_time": { "type": "date" },
"owner": { "type": "keyword" }
},
"crypto_libraries": [{
"name": { "type": "keyword" },
"version": { "type": "keyword" },
"path": { "type": "keyword" },
"pqc_support": { "type": "boolean" }
}]
}{
"vpn_client": {
"name": { "type": "keyword" },
"vendor": { "type": "keyword" },
"version": { "type": "keyword" },
"status": { "type": "keyword" },
"active": { "type": "boolean" },
"detection_method": { "type": "keyword" },
"detection_confidence": { "type": "keyword" },
"last_seen": { "type": "date" },
"first_detected": { "type": "date" },
"install_path": { "type": "keyword" },
"config_path": { "type": "keyword" },
"executable_path": { "type": "keyword" },
"service_name": { "type": "keyword" },
"process_id": { "type": "integer" }
},
"vpn_connection": {
"server_address": { "type": "keyword" },
"protocol": { "type": "keyword" },
"port": { "type": "integer" },
"encryption_algorithm": { "type": "keyword" },
"authentication_method": { "type": "keyword" },
"cipher_suite": { "type": "keyword" },
"dh_group": { "type": "keyword" }
},
"vpn_config": {
"authentication_method": { "type": "keyword" },
"encryption_settings": { "type": "text" },
"weak_settings": { "type": "keyword" }
}
}{
"ipsec_tunnel": {
"name": { "type": "keyword" },
"implementation": { "type": "keyword" },
"version": { "type": "keyword" },
"status": { "type": "keyword" },
"active": { "type": "boolean" },
"detection_method": { "type": "keyword" },
"detection_confidence": { "type": "keyword" },
"last_seen": { "type": "date" },
"first_detected": { "type": "date" },
"config_path": { "type": "keyword" }
},
"tunnel_details": {
"local_endpoint": { "type": "ip" },
"remote_endpoint": { "type": "ip" },
"local_subnet": { "type": "keyword" },
"remote_subnet": { "type": "keyword" },
"mode": { "type": "keyword" },
"protocol": { "type": "keyword" }
},
"security_association": {
"spi": { "type": "keyword" },
"encryption_algorithm": { "type": "keyword" },
"authentication_algorithm": { "type": "keyword" },
"pfs_group": { "type": "keyword" },
"lifetime_seconds": { "type": "integer" },
"lifetime_bytes": { "type": "long" }
}
}{
"quantum_readiness": {
"total_score": { "type": "integer" },
"max_score": { "type": "integer" },
"percentage": { "type": "float" },
"system_classification": { "type": "keyword" },
"critical_failures": { "type": "text" },
"assessment_enabled": { "type": "boolean" },
"hardware_assessment": {
"score": { "type": "integer" },
"max_score": { "type": "integer" },
"cpu_info": { "type": "text" },
"total_memory_gb": { "type": "float" },
"security_hardware": { "type": "keyword" }
},
"os_assessment": {
"score": { "type": "integer" },
"max_score": { "type": "integer" },
"version_support": { "type": "keyword" },
"crypto_frameworks": { "type": "keyword" }
},
"network_assessment": {
"score": { "type": "integer" },
"max_score": { "type": "integer" },
"pqc_protocols": { "type": "keyword" },
"vpn_support": { "type": "keyword" }
}
}
}TYCHON uses deterministic SHA256-based document IDs to enable upsert operations:
SHA256(destination.ip + destination.port + tls.cipher + scan_timestamp)SHA256(keystore.path + certificate.fingerprint_sha256)SHA256(destination.ip + ssh.host_key.fingerprint)SHA256(host.name + process.pid + process.start_time)SHA256(vpn_client.name + vpn_client.install_path + host.name)SHA256(ipsec_tunnel.name + tunnel_details.local_endpoint + host.name)SHA256(host.name + assessment_type + scan_timestamp)