Flat NDJSON Output Format - TYCHON Quantum Readiness Documentation

Overview

The Flat NDJSON format outputs one JSON record per line, with each line representing a single cipher suite, certificate, crypto library, or other cryptographic asset. All nested structures are flattened using dot notation.

Best For

• ELK Stack ingestion
• Streaming log analysis
• Time-series databases
• Log aggregation systems

Usage

`.\certscanner-windows-amd64.exe -host example.com `
  -outputformat flatndjson `
  -output stream.ndjson

./certscanner-linux-x64 -host example.com \
  -outputformat flatndjson \
  -output stream.ndjson

# Intel Macs
./certscanner-darwin-amd64 -host example.com \
  -outputformat flatndjson \
  -output stream.ndjson

# Apple Silicon Macs
./certscanner-darwin-arm64 -host example.com \
  -outputformat flatndjson \
  -output stream.ndjson

Complete Flat NDJSON Schema

Schema Overview

Each line in the NDJSON output represents a single cryptographic asset event. All nested JSON structures are flattened using dot notation (e.g., certificate.subject.common_name). Different event types share common base fields but include type-specific fields.

Base Event Fields (All Events)

Field	Type	Required	Description	Example
@timestamp	String	Yes	Event timestamp (ISO 8601)	"2025-09-02T13:45:30.123Z"
event.action	String	Yes	Event type identifier	"cipher_suite_discovered"
event.category	String	Yes	ECS event category	"host", "network"
event.type	String	Yes	ECS event type	"info", "connection"
observer.hostname	String	Yes	Scanning system hostname	"scanner-host.company.com"
observer.ip	Array<String>	No	Scanner IP addresses	["192.168.1.100"]
observer.os.name	String	Yes	Scanner OS name	"Windows", "Linux", "macOS"
observer.os.version	String	No	Scanner OS version	"10.0.19045"
observer.fips_mode_enabled	Boolean	Yes	FIPS 140-2 mode status	true, false
observer.bigfix_client_installed	Boolean	No	Indicates if BigFix client is installed	true, false
observer.bigfix_client_id	String	No	BigFix client ID for asset correlation	"12345678"
observer.software.name	String	Yes	Tool name	"TYCHON Quantum Readiness"
observer.software.version	String	Yes	Tool version	"1.0.42"
scan.type	String	Yes	Scan mode	"local", "remote"
scan.target	String	Yes	Original target specification	"example.com:443"
tags	Array<String>	No	Custom scan tags	["prod", "compliance"]

Quantum Readiness Fields (Local Mode Only) NEW

These fields are added to all events when quantum readiness assessment is enabled in local mode (default). Can be disabled with -disable-quantum-readiness flag.

Field	Type	Description	Example
quantum.assessment_id	String	Unique assessment identifier	"qr_20250915_101539_abc123"
quantum.timestamp	String	Assessment timestamp (ISO 8601)	"2025-09-15T10:15:39.123456-07:00"
quantum.assessment_type	String	Type of assessment performed	"comprehensive"
quantum.system_type	String	Classification of system type	"workstation"
quantum.system_role	String	Primary role of the system	"workstation"
quantum.criticality_level	String	System criticality classification	"standard"
quantum.fips_mode_enabled	Boolean	FIPS 140-2 mode status at assessment time	true, false
quantum.overall_score	Integer	Total quantum readiness score (0-100)	64
quantum.readiness_status	String	Overall readiness classification	"Update Required"
quantum.status_color	String	Color code for status visualization	"orange"
quantum.ready_timeline	String	Estimated timeline to quantum readiness	"2-6 months"
quantum.hardware_score.total_score	Integer	Hardware assessment score (0-40)	32
quantum.hardware_score.cpu_score	Integer	CPU assessment score (0-20)	18
quantum.hardware_score.memory_score	Integer	Memory assessment score (0-15)	14
quantum.hardware_score.security_hardware_score	Integer	Security hardware score (0-5)	0
quantum.operating_system_score.total_score	Integer	OS assessment score (0-30)	15
quantum.operating_system_score.version_score	Integer	OS version score (0-20)	12
quantum.operating_system_score.crypto_framework_score	Integer	Crypto framework score (0-10)	3
quantum.crypto_library_score.total_score	Integer	Crypto library score (0-25)	12
quantum.crypto_library_score.openssl_score	Integer	OpenSSL assessment score (0-15)	8
quantum.crypto_library_score.system_crypto_score	Integer	System crypto score (0-10)	4
quantum.network_score.total_score	Integer	Network assessment score (0-5)	5
quantum.network_score.bandwidth_score	Integer	Bandwidth score (0-3)	3
quantum.network_score.protocol_capability_score	Integer	Protocol capability score (0-2)	2
quantum.recommendations	Array<String>	Actionable recommendations	["Upgrade to macOS 15.0+"]
quantum.detailed_report	String	Comprehensive assessment summary	"System shows moderate quantum readiness..."

Network Target Fields (Remote Scans)

Field	Type	Description	Example
destination.address	String	Target hostname or IP	"example.com"
destination.ip	String	Resolved IP address	"203.0.113.1"
destination.domain	String	Domain name	"example.com"
destination.port	Integer	Target port number	443
network.protocol	String	Network protocol	"tcp"
network.transport	String	Transport protocol	"tcp"
service.name	String	Detected service	"https", "ssh"
service.version	String	Service version (if detected)	"TLSv1.3"

Cipher Suite Event Fields

Event Action: cipher_suite_discovered

Field	Type	Description	Example
tls.version	String	TLS protocol version	"TLSv1.3"
tls.cipher	String	IANA cipher suite name	"TLS_AES_256_GCM_SHA384"
tls.cipher_hex	String	Hex identifier	"0x13,0x02"
tls.key_length	Integer	Key length in bits	256
tls.negotiated_group	String	Key exchange group	"X25519"
tls.is_preferred	Boolean	Server's preferred choice	true
tls.openssl_name	String	OpenSSL cipher name	"ECDHE-RSA-AES256-GCM-SHA384"
security.level	String	Security assessment	"high", "medium", "low"
security.recommendation	String	Security recommendation	"recommended", "legacy"
security.pqc_ready	Boolean	Post-quantum ready	false
security.vulnerabilities	Array<String>	Known vulnerabilities	["BEAST", "CRIME"]
security.nist_category	String	NIST classification	"Recommended"

Certificate Event Fields

Event Actions: network_certificate_discovered, filesystem_certificate_discovered

Field	Type	Description	Example
x509.subject.common_name	String	Certificate subject CN	"example.com"
x509.subject.organization	String	Subject organization	"Example Corp"
x509.subject.organizational_unit	String	Subject OU	"IT Department"
x509.subject.country	String	Subject country	"US"
x509.subject.state_or_province	String	Subject state/province	"California"
x509.subject.locality	String	Subject locality	"San Francisco"
x509.subject.email_address	String	Subject email	"admin@example.com"
x509.subject.raw	String	Complete subject DN	"CN=example.com,O=Example Corp,C=US"
x509.issuer.common_name	String	Issuer CN	"DigiCert TLS RSA SHA256 2020 CA1"
x509.issuer.organization	String	Issuer organization	"DigiCert Inc"
x509.issuer.country	String	Issuer country	"US"
x509.issuer.raw	String	Complete issuer DN	"CN=DigiCert TLS RSA SHA256 2020 CA1,O=DigiCert Inc,C=US"
x509.serial_number	String	Certificate serial number	"123456789012345678901234567890"
x509.signature_algorithm	String	Signature algorithm	"SHA256-RSA"
x509.public_key.algorithm	String	Public key algorithm	"RSA", "ECDSA"
x509.public_key.size	Integer	Public key size in bits	2048
x509.public_key.curve	String	Curve name (ECDSA)	"secp384r1"
x509.not_before	String	Valid from date (ISO 8601)	"2024-03-01T00:00:00Z"
x509.not_after	String	Valid until date (ISO 8601)	"2025-03-01T23:59:59Z"
x509.is_expired	Boolean	Whether cert is expired	false
x509.days_until_expiry	Integer	Days until expiration	182
x509.is_self_signed	Boolean	Self-signed certificate	false
x509.is_ca	Boolean	CA certificate	false
x509.fingerprint.sha256	String	SHA-256 fingerprint	"ab:cd:ef:12:34:..."
x509.fingerprint.sha1	String	SHA-1 fingerprint	"12:34:56:78:..."
x509.san	Array<String>	Subject alt names	["*.example.com"]
x509.key_usage	Array<String>	Key usage extensions	["digitalSignature"]
x509.extended_key_usage	Array<String>	Extended key usage	["serverAuth"]

Filesystem Event Fields

Event Action: filesystem_certificate_discovered

Field	Type	Description	Example
file.path	String	Full path to certificate file	"/etc/ssl/certs/ca.pem"
file.name	String	File name only	"ca.pem"
file.extension	String	File extension	".pem"
file.size	Integer	File size in bytes	2048
file.created	String	File creation time	"2024-01-15T10:30:00Z"
file.modified	String	Last modification time	"2024-01-15T10:30:00Z"
file.owner	String	File owner	"root", "DOMAIN\\user"
file.permissions	String	File permissions	"644", "rw-r--r--"
file.hash.sha256	String	SHA-256 hash of file	"a1b2c3d4..."
certificate.format	String	Certificate format	"PEM", "DER", "PKCS12"
certificate.type	String	Certificate type	"x509", "pkcs12"

Memory Library Event Fields

Event Action: crypto_library_discovered

Field	Type	Description	Example
process.pid	Integer	Process ID	1234
process.name	String	Process executable name	"nginx.exe"
process.executable	String	Full executable path	"C:\\nginx\\nginx.exe"
process.command_line	String	Complete command line	"nginx.exe -c nginx.conf"
process.username	String	Process owner	"SYSTEM"
library.name	String	Crypto library name	"OpenSSL"
library.version	String	Library version	"3.0.8"
library.path	String	Library file path	"C:\\openssl\\libssl.dll"
library.crypto_type	String	Crypto implementation type	"openssl", "bcrypt", "java_crypto"
library.product_name	String	Product name from metadata	"OpenSSL Toolkit"
library.company_name	String	Company from metadata	"The OpenSSL Project"
library.file_description	String	File description	"OpenSSL Shared Library"
library.hash.sha256	String	SHA-256 hash of library	"e1f2a3b4..."

Keystore Event Fields NEW

Event Actions: keystore_discovered, keystore_certificate_discovered

Field	Type	Description	Example
keystore.path	String	Full path to keystore file	"/home/user/keystore.p12"
keystore.type	String	Keystore format type	"PKCS12", "JKS", "Windows", "macOS"
keystore.accessible	Boolean	Whether keystore is accessible	true
keystore.requires_auth	Boolean	Whether authentication required	false
keystore.cert_count	Integer	Number of certificates found	15
keystore.owner	String	File owner (if available)	"domain\\username"
keystore.permissions	String	File permissions	"rw-r--r--"
keystore.size	Integer	File size in bytes	2048576
keystore.last_modified	String	Last modification timestamp	"2024-12-01T10:30:00Z"
keystore.error_message	String	Error details if access failed	"Password required"
keystore_certificate.alias	String	Certificate alias in keystore	"my-server-cert"
keystore_certificate.has_private_key	Boolean	Whether private key available	true
keystore_certificate.chain_length	Integer	Certificate chain length	3
keystore_certificate.chain_complete	Boolean	Whether chain is complete	true
keystore_certificate.vulnerable	Boolean	Whether has vulnerabilities	false
keystore_certificate.risk_level	String	Risk assessment level	"low", "medium", "high"
keystore_certificate.pqc_vulnerable	Boolean	Quantum vulnerability status	true
keystore_certificate.pqc_reason	String	Reason for PQC vulnerability	"RSA algorithm vulnerable"

SSH Host Key Event Fields

Event Action: ssh_host_key_discovered

Field	Type	Description	Example
ssh.host_key.algorithm	String	SSH key algorithm	"ssh-rsa", "ecdsa-sha2-nistp256"
ssh.host_key.size	Integer	Key size in bits	2048
ssh.host_key.curve	String	Elliptic curve (ECDSA)	"nistp256"
ssh.host_key.fingerprint.md5	String	MD5 fingerprint (legacy)	"12:34:56:78:..."
ssh.host_key.fingerprint.sha256	String	SHA-256 fingerprint	"SHA256:abcd..."
ssh.host_key.public_key	String	Base64 public key data	"AAAAB3NzaC1yc2E..."
ssh.host_key.is_weak	Boolean	Cryptographically weak key	false
ssh.banner	String	SSH server banner	"SSH-2.0-OpenSSH_8.9"
ssh.server_version	String	SSH server software	"OpenSSH_8.9"

Outlook Archive Event Fields

Event Action: outlook_archive_discovered

Field	Type	Description	Example
file.path	String	Path to PST/OST file	"C:\\Users\\user\\archive.pst"
file.size	Integer	Archive file size	1048576000
outlook.is_encrypted	Boolean	Archive encryption status	true
outlook.encryption_type	String	Encryption method	"Compressible", "High"
outlook.version	String	Outlook version	"2019", "365"
user.name	String	Archive owner username	"john.doe"

VPN Client Event Fields NEW

Event Action: vpn_client_discovered

Field	Type	Description	Example
vpn.client_name	String	VPN client application name	"Palo Alto GlobalProtect"
vpn.vendor	String	Software vendor	"Palo Alto Networks"
vpn.version	String	Client version	"6.3.2-525"
vpn.install_path	String	Installation directory	"/Applications/GlobalProtect.app"
vpn.config_path	String	Configuration file location	"~/Library/Application Support/..."
vpn.executable_path	String	Main executable path	"/Applications/.../GlobalProtect"
vpn.service_name	String	System service identifier	"com.paloaltonetworks.globalprotect"
vpn.status	String	Current operational status	"active", "inactive", "unknown"
vpn.detection_method	String	How client was discovered	"filesystem", "registry", "process"
vpn.detection_confidence	String	Detection accuracy level	"high", "medium", "low"
vpn.pqc_ready	Boolean	Post-quantum cryptography support	true
vpn.quantum_resistance	String	Level of quantum resistance	"high", "medium", "low", "none"
vpn.pqc_migration_status	String	PQC migration readiness	"ready", "partial", "not_ready"
vpn.supported_pqc_algorithms	Array<String>	Supported PQC algorithms	["ML-KEM-512", "ML-DSA-44"]
process.pid	Integer	Process ID (if running)	4473

IPSec Tunnel Event Fields NEW

Event Action: ipsec_tunnel_discovered

Field	Type	Description	Example
ipsec.tunnel_name	String	IPSec tunnel identifier	"strongSwan Site-to-Site"
ipsec.implementation	String	IPSec implementation type	"strongswan", "libreswan", "macOS"
ipsec.config_path	String	Configuration file location	"/etc/ipsec.conf"
ipsec.status	String	Current tunnel status	"active", "inactive", "unknown"
ipsec.detection_method	String	How tunnel was discovered	"config_file", "process", "kernel"
ipsec.detection_confidence	String	Detection accuracy level	"high", "medium", "low"
ipsec.local_subnet	String	Local network subnet	"192.168.1.0/24"
ipsec.remote_subnet	String	Remote network subnet	"10.0.0.0/24"
ipsec.gateway	String	Remote gateway IP address	"203.0.113.1"
ipsec.encryption_algorithms	Array<String>	Configured encryption algorithms	["aes256", "aes128"]
ipsec.integrity_algorithms	Array<String>	Configured hash algorithms	["sha256", "sha1"]
ipsec.key_exchange_groups	Array<String>	Configured DH groups	["modp2048", "ecp256"]
ipsec.pqc_ready	Boolean	Post-quantum cryptography support	false
ipsec.quantum_resistance	String	Level of quantum resistance	"high", "medium", "low", "none"
ipsec.pqc_migration_status	String	PQC migration readiness	"ready", "partial", "not_ready"

Security Intelligence Fields

Applied to cipher suites and cryptographic assets

Field	Type	Description	Possible Values
intel.security_level	String	Overall security assessment	"high", "medium", "low", "insecure"
intel.recommendation	String	Security recommendation	"recommended", "acceptable", "legacy", "avoid"
intel.pqc_ready	Boolean	Post-quantum ready	false
intel.pqc_vulnerable	Boolean	Quantum vulnerable	true
intel.vulnerabilities	Array<String>	Known vulnerabilities	["BEAST", "CRIME", "POODLE"]
intel.nist_category	String	NIST security category	"Recommended", "Legacy-Use", "Deprecated"
intel.friendly_name	String	Human-readable name	"AES-256 with GCM and SHA-384"
intel.description	String	Detailed description	"Advanced Encryption Standard with..."
intel.risk_score	Integer	Numeric risk score (0-100)	25

Event Action Types

Network Discovery Events

• cipher_suite_discovered
• network_certificate_discovered
• ssh_host_key_discovered
• tls_handshake_completed
• protocol_detected

Local Discovery Events

• filesystem_certificate_discovered
• crypto_library_discovered
• outlook_archive_discovered
• private_key_discovered
• java_keystore_discovered
• keystore_discovered NEW
• keystore_certificate_discovered NEW
• vpn_client_discovered NEW
• ipsec_tunnel_discovered NEW

Common Field Patterns

Dot Notation Examples

x509.subject.common_name → Certificate CN

process.executable → Process path

intel.security_level → Risk assessment

file.hash.sha256 → File hash

tls.cipher → Cipher suite name

Array Field Handling

Multiple Values: Arrays become comma-separated

x509.san: "*.example.com,example.com"

tags: "production,compliance,audit"

vulnerabilities: "BEAST,CRIME"

Sample Records

Cipher Suite Record

{"observer.hostname":"scanner-host","observer.software_version":"1.0.42","scan.type":"remote","scan.timestamp":"2025-09-02T09:00:17-04:00","target_host.address":"example.com","target_host.ip":"93.184.216.34","port.number":443,"port.status_overall":"open","port.protocol_detected":"TLS","cipher.protocol":"TLSv1.3","cipher.cipher_suite":"TLS_AES_256_GCM_SHA384","cipher.key_length_bits":256,"cipher.negotiated_group":"X25519","cipher.is_preferred":true,"cipher.intel.security_level":"high","cipher.intel.recommendation":"recommended","x509.subject.distinguished_name":"CN=example.com,O=Example Corp,C=US","x509.serial_number":"123456789012345678901234567890","hash.sha256_certificate":"ab:cd:ef:12:34:56:78:90:..."}

Filesystem Certificate Record

{"observer.hostname":"scanner-host","scan.type":"local","event.action":"filesystem_certificate_discovered","file.path":"/etc/ssl/certs/ca-cert.pem","certificate.subject.common_name":"Internal Root CA","certificate.issuer.common_name":"Internal Root CA","certificate.serial_number":"123456789","x509.is_valid":true,"hash.sha256_certificate":"12:34:56:78:90:ab:cd:ef:..."}

Crypto Library Record

{"observer.hostname":"scanner-host","scan.type":"local","event.action":"crypto_library_in_memory","process.pid":1234,"process.name":"nginx","process.executable":"/usr/sbin/nginx","cryptolibrary.name":"libssl.so.3","cryptolibrary.path":"/usr/lib/x86_64-linux-gnu/libssl.so.3","cryptolibrary.crypto_type":"TLS Library","cryptolibrary.detected_apis":"SSL_connect,SSL_accept,TLS_method"}

Keystore Certificate Record NEW

{"@timestamp":"2025-09-17T14:30:00.000Z","observer.hostname":"scanner-host","scan.type":"local","event.action":"keystore_certificate_discovered","event.category":"file","event.dataset":"keystore_certificate","keystore.path":"/Users/admin/Documents/certificates/server.p12","keystore.type":"PKCS12","keystore.accessible":true,"keystore.cert_count":3,"keystore_certificate.alias":"server-cert","keystore_certificate.has_private_key":true,"keystore_certificate.chain_length":2,"x509.subject.distinguished_name":"CN=api.example.com,O=Example Corp,C=US","x509.issuer.distinguished_name":"CN=Example Internal CA,O=Example Corp,C=US","x509.serial_number":"0x1a2b3c4d5e6f7890","x509.public_key.algorithm":"RSA","x509.public_key.size":2048,"x509.signature_algorithm":"SHA256-RSA","x509.not_before":"2024-01-01T00:00:00Z","x509.not_after":"2025-12-31T23:59:59Z","keystore_certificate.vulnerable":false,"keystore_certificate.risk_level":"medium","keystore_certificate.pqc_vulnerable":true,"keystore_certificate.pqc_reason":"RSA algorithm vulnerable to quantum cryptanalysis"}

Key Features

Data Completeness

• Complete Coverage: All JSON data included
• No Field Filtering: Every certificate field exported
• Certificate Chains: Full chain data flattened
• Process Information: Complete process metadata

Flattening Approach

• Dot Notation: Nested objects flattened with dots
• Array Handling: String arrays joined with commas
• Time Formatting: ISO 8601 RFC3339Nano format
• Intel Maps: Recursively flattened key-value data

Event Types

Network Cipher Events

One record per cipher suite negotiated on network ports

cipher.* fields + certificate.* fields + target_host.* fields

Filesystem Certificate Events

One record per certificate file discovered

event.action="filesystem_certificate_discovered" + certificate.* fields

Memory Crypto Library Events

One record per crypto library found in process memory

event.action="crypto_library_in_memory" + cryptolibrary.* fields

Java Crypto Library Events

One record per Java crypto library discovered

event.action="java_crypto_library_in_memory" + library.* fields

Keystore Certificate Events NEW

One record per certificate found in keystores (PKCS12, JKS, System Stores)

event.action="keystore_certificate_discovered" + keystore.* + x509.* fields

Integration Examples

Elasticsearch Ingestion

# Direct streaming to Elasticsearch
`.\certscanner-windows-amd64.exe -host internal-network.txt -cipherscan `
  -outputformat flatndjson `
  -posttoelastic -elasticnode "https://elastic.company.com:9200" `
  -elasticindex "crypto-scans"

# File-based ingestion
`.\certscanner-windows-amd64.exe -mode local -scanfilesystem `
  -outputformat flatndjson -output certs.ndjson
curl -X POST "elastic.company.com:9200/certs/_bulk" `
  -H "Content-Type: application/x-ndjson" `
  --data-binary "@certs.ndjson"

# Direct streaming to Elasticsearch
./certscanner-linux-x64 -host internal-network.txt -cipherscan \
  -outputformat flatndjson \
  -posttoelastic -elasticnode "https://elastic.company.com:9200" \
  -elasticindex "crypto-scans"

# File-based ingestion
./certscanner-linux-x64 -mode local -scanfilesystem \
  -outputformat flatndjson -output certs.ndjson
curl -X POST "elastic.company.com:9200/certs/_bulk" \
  -H "Content-Type: application/x-ndjson" \
  --data-binary "@certs.ndjson"

# Direct streaming to Elasticsearch - Intel Macs
./certscanner-darwin-amd64 -host internal-network.txt -cipherscan \
  -outputformat flatndjson \
  -posttoelastic -elasticnode "https://elastic.company.com:9200" \
  -elasticindex "crypto-scans"

# File-based ingestion - Intel Macs
./certscanner-darwin-amd64 -mode local -scanfilesystem \
  -outputformat flatndjson -output certs.ndjson
  
# For Apple Silicon Macs, use:
# ./certscanner-darwin-arm64 [same arguments]

curl -X POST "elastic.company.com:9200/certs/_bulk" \
  -H "Content-Type: application/x-ndjson" \
  --data-binary "@certs.ndjson"

Log Analysis Pipeline

# Stream processing with jq
`.\certscanner-windows-amd64.exe -host servers.txt -outputformat flatndjson | `
  jq 'select(.cipher.intel.security_level == "low")' | `
  jq '.target_host.address + ":" + (.port.number | tostring) + " - " + .cipher.cipher_suite'

# Filter for expiring certificates
`.\certscanner-windows-amd64.exe -mode local -scanfilesystem -outputformat flatndjson | `
  jq 'select(.event.action == "filesystem_certificate_discovered") | select(.x509.is_valid == false)'

# Stream processing with jq
./certscanner-linux-x64 -host servers.txt -outputformat flatndjson | \
  jq 'select(.cipher.intel.security_level == "low")' | \
  jq '.target_host.address + ":" + (.port.number | tostring) + " - " + .cipher.cipher_suite'

# Filter for expiring certificates
./certscanner-linux-x64 -mode local -scanfilesystem -outputformat flatndjson | \
  jq 'select(.event.action == "filesystem_certificate_discovered") | select(.x509.is_valid == false)'

# Stream processing with jq - Intel Macs
./certscanner-darwin-amd64 -host servers.txt -outputformat flatndjson | \
  jq 'select(.cipher.intel.security_level == "low")' | \
  jq '.target_host.address + ":" + (.port.number | tostring) + " - " + .cipher.cipher_suite'

# Filter for expiring certificates - Intel Macs (no memory scanning)
./certscanner-darwin-amd64 -mode local -scanfilesystem -outputformat flatndjson | \
  jq 'select(.event.action == "filesystem_certificate_discovered") | select(.x509.is_valid == false)'
  
# For Apple Silicon Macs, replace -darwin-amd64 with -darwin-arm64