← Back to Documentation
Splunk

Splunk Enterprise Integration

Comprehensive cryptographic asset monitoring and analysis in Splunk

Integration Overview

Splunk Enterprise Integration

TYCHON Quantum Readiness provides comprehensive cryptographic asset visibility in Splunk Enterprise through structured log ingestion, custom data models, and purpose-built searches and dashboards.

📥 Data Ingestion

NDJSON and JSON log formats with structured field extraction

🔍 Search Analytics

SPL queries for certificate lifecycle and cipher analysis

📊 Dashboards

Executive and operational views with drill-down capabilities

Log Ingestion Methods

1. File-based Log Monitoring

TYCHON Quantum Readiness Configuration

# Generate NDJSON logs for Splunk monitoring
.\certscanner-windows-amd64.exe -host example.com -ports 443,22,8443 -cipherscan `
  -outputformat flatndjson -output C:\var\log\certscanner\crypto-assets.ndjson

# Scheduled scanning with log rotation
.\certscanner-windows-amd64.exe -mode local -scanfilesystem -scanconnected -scanmemory `
  -outputformat flatndjson -output C:\Program` Files\SplunkUniversalForwarder\var\log\certscanner\daily-scan.ndjson
# Generate NDJSON logs for Splunk monitoring
./certscanner-linux-x64 -host example.com -ports 443,22,8443 -cipherscan \
  -outputformat flatndjson -output /var/log/certscanner/crypto-assets.ndjson

# Scheduled scanning with log rotation
./certscanner-linux-x64 -mode local -scanfilesystem -scanconnected -scanmemory \
  -outputformat flatndjson -output /opt/splunk/var/log/certscanner/daily-scan.ndjson
# Generate NDJSON logs for Splunk monitoring
./certscanner-darwin-amd64 -host example.com -ports 443,22,8443 -cipherscan \
  -outputformat flatndjson -output /var/log/certscanner/crypto-assets.ndjson

# Scheduled scanning with log rotation (no memory scanning on macOS)
./certscanner-darwin-amd64 -mode local -scanfilesystem -scanconnected \
  -outputformat flatndjson -output /opt/splunk/var/log/certscanner/daily-scan.ndjson

Splunk inputs.conf

# Monitor TYCHON Quantum Readiness NDJSON logs
[monitor:///var/log/certscanner/*.ndjson]
disabled = false
sourcetype = certscanner:crypto_assets
index = security
host_segment = 4

# Monitor JSON reports  
[monitor:///opt/certscanner/reports/*.json]
disabled = false
sourcetype = certscanner:scan_report
index = security
host_segment = 4

# Monitor Tychon format logs
[monitor:///var/log/certscanner/*.tychon.ndjson]
disabled = false
sourcetype = certscanner:tychon
index = security
host_segment = 4

2. HTTP Event Collector (HEC) - Direct Integration

Splunk HEC Configuration

# Enable HEC in Splunk Web UI:
# Settings > Data Inputs > HTTP Event Collector > New Token
# Name: tychon-crypto-assets
# Source type: tychon-acdi:crypto_assets  
# Index: tychon-crypto
# Enable indexer acknowledgment: Recommended

Built-in HEC Integration

# Direct HEC integration with authentication token
.\certscanner-windows-amd64.exe -host example.com -ports 443,22,8443 -cipherscan `
  -posttosplunk -splunkurl "https://splunk.company.com:8088" `
  -splunktoken "YOUR_HEC_TOKEN_HERE" -splunkindex "tychon-crypto"

# Using environment variables for security
$env:SPLUNK_URL="https://splunk.company.com:8088"
$env:SPLUNK_TOKEN="YOUR_HEC_TOKEN_HERE" 
$env:SPLUNK_INDEX="tychon-crypto"

.\certscanner-windows-amd64.exe -host example.com -cipherscan -posttosplunk

# Secure configuration storage (recommended for production)
.\certscanner-windows-amd64.exe -config `
  -config-splunkurl "https://splunk.company.com:8088" `
  -config-splunktoken "YOUR_HEC_TOKEN_HERE" `
  -config-splunkindex "tychon-crypto"

# Use stored configuration  
.\certscanner-windows-amd64.exe -host example.com -cipherscan -posttosplunk
# Direct HEC integration with authentication token
./certscanner-linux-x64 -host example.com -ports 443,22,8443 -cipherscan \
  -posttosplunk -splunkurl "https://splunk.company.com:8088" \
  -splunktoken "YOUR_HEC_TOKEN_HERE" -splunkindex "tychon-crypto"

# Using environment variables for security
export SPLUNK_URL="https://splunk.company.com:8088"
export SPLUNK_TOKEN="YOUR_HEC_TOKEN_HERE"
export SPLUNK_INDEX="tychon-crypto"

./certscanner-linux-x64 -host example.com -cipherscan -posttosplunk

# Secure configuration storage (recommended for production)
./certscanner-linux-x64 -config \
  -config-splunkurl "https://splunk.company.com:8088" \
  -config-splunktoken "YOUR_HEC_TOKEN_HERE" \
  -config-splunkindex "tychon-crypto"

# Use stored configuration  
./certscanner-linux-x64 -host example.com -cipherscan -posttosplunk

# Skip SSL verification for self-signed certificates (use with caution)
./certscanner-linux-x64 -host example.com -cipherscan -posttosplunk -insecure
# Direct HEC integration with authentication token
./certscanner-darwin-amd64 -host example.com -ports 443,22,8443 -cipherscan \
  -posttosplunk -splunkurl "https://splunk.company.com:8088" \
  -splunktoken "YOUR_HEC_TOKEN_HERE" -splunkindex "tychon-crypto"

# Using environment variables for security
export SPLUNK_URL="https://splunk.company.com:8088"
export SPLUNK_TOKEN="YOUR_HEC_TOKEN_HERE"
export SPLUNK_INDEX="tychon-crypto"

./certscanner-darwin-amd64 -host example.com -cipherscan -posttosplunk

# Secure configuration storage (recommended for production)
./certscanner-darwin-amd64 -config \
  -config-splunkurl "https://splunk.company.com:8088" \
  -config-splunktoken "YOUR_HEC_TOKEN_HERE" \
  -config-splunkindex "tychon-crypto"

# Use stored configuration  
./certscanner-darwin-amd64 -host example.com -cipherscan -posttosplunk

HEC Integration Features

  • Real-time streaming: Events sent directly to Splunk as they are discovered
  • Event batching: Configurable batch sizes for optimal performance
  • Authentication methods: HEC token or username/password support
  • HTTP/HTTPS support: Automatic protocol detection with SSL verification
  • Secure credential storage: FIPS 140-3 compliant encryption for tokens
  • Error handling: Comprehensive retry logic and error reporting

Advanced HEC Configuration Options

# Full HEC configuration example
./certscanner-linux-x64 -host example.com -cipherscan \
  -posttosplunk \
  -splunkurl "https://splunk.company.com:8088" \
  -splunktoken "YOUR_HEC_TOKEN_HERE" \
  -splunkindex "tychon-crypto" \
  -splunksource "tychon-scanner" \
  -splunksourcetype "tychon-acdi:crypto_assets" \
  -splunkbatch 50 \
  -splunktimeout 30

# Basic authentication instead of token
./certscanner-linux-x64 -host example.com -cipherscan \
  -posttosplunk \
  -splunkurl "https://splunk.company.com:8088" \
  -splunkusername "splunk_user" \
  -splunkpassword "secure_password" \
  -splunkindex "tychon-crypto"

# Environment variables for all HEC settings
export SPLUNK_URL="https://splunk.company.com:8088"
export SPLUNK_TOKEN="YOUR_HEC_TOKEN_HERE"
export SPLUNK_INDEX="tychon-crypto"
export SPLUNK_SOURCE="tychon-scanner"
export SPLUNK_SOURCETYPE="tychon-acdi:crypto_assets"
export SPLUNK_BATCH="100"
export SPLUNK_TIMEOUT="60"

./certscanner-linux-x64 -host example.com -cipherscan -posttosplunk

Legacy HEC Integration (curl-based)

# Stream directly to Splunk HEC
.\certscanner-windows-amd64.exe -host example.com -cipherscan -outputformat flatndjson | `
  Invoke-RestMethod -Uri "https://splunk.company.com:8088/services/collector/raw" `
                   -Method POST `
                   -Headers @{"Authorization" = "Splunk $env:HEC_TOKEN"} `
                   -ContentType "application/json" `
                   -Body $input

# Scheduled task approach (use Task Scheduler instead of cron)
# See Task Scheduler configuration section below
# Stream directly to Splunk HEC
./certscanner-linux-x64 -host example.com -cipherscan -outputformat flatndjson | \
  curl -k "https://splunk.company.com:8088/services/collector/raw" \
       -H "Authorization: Splunk $HEC_TOKEN" \
       -H "Content-Type: application/json" \
       --data-binary @-

# Scheduled scan with HEC posting
*/30 * * * * /opt/certscanner/certscanner-linux-x64 -mode local -scanconnected -scanmemory \
  -outputformat flatndjson | \
  curl -k "https://splunk.company.com:8088/services/collector/raw" \
       -H "Authorization: Splunk $HEC_TOKEN" \
       -H "Content-Type: application/json" \
       --data-binary @-
# Stream directly to Splunk HEC  
./certscanner-darwin-amd64 -host example.com -cipherscan -outputformat flatndjson | \
  curl -k "https://splunk.company.com:8088/services/collector/raw" \
       -H "Authorization: Splunk $HEC_TOKEN" \
       -H "Content-Type: application/json" \
       --data-binary @-

# Scheduled scan with HEC posting (no memory scanning on macOS)
*/30 * * * * /opt/certscanner/certscanner-darwin-amd64 -mode local -scanconnected \
  -outputformat flatndjson | \
  curl -k "https://splunk.company.com:8088/services/collector/raw" \
       -H "Authorization: Splunk $HEC_TOKEN" \
       -H "Content-Type: application/json" \
       --data-binary @-

3. Universal Forwarder Deployment

Distributed Deployment Script

#!/bin/bash
# Deploy TYCHON Quantum Readiness with Universal Forwarder

# Create log directory
mkdir -p /opt/certscanner/logs

# Schedule TYCHON Quantum Readiness execution
cat << 'EOF' > /etc/cron.d/certscanner
# TYCHON Quantum Readiness crypto asset monitoring
0 */6 * * * root /opt/certscanner/certscanner -mode local -scanfilesystem -scanconnected -outputformat flatndjson -output /opt/certscanner/logs/crypto-assets-$(date +\%Y\%m\%d-\%H\%M).ndjson
0 2 * * * root /opt/certscanner/certscanner -arpscan -cipherscan -outputformat flatndjson -output /opt/certscanner/logs/network-scan-$(date +\%Y\%m\%d).ndjson
EOF

# Configure Universal Forwarder
cat << 'EOF' > $SPLUNK_HOME/etc/system/local/inputs.conf
[monitor:///opt/certscanner/logs/*.ndjson]
disabled = false
sourcetype = certscanner:crypto_assets
index = security
host = certscanner_agent

[monitor:///var/log/certscanner/*.json]
disabled = false  
sourcetype = certscanner:scan_report
index = security
host = certscanner_agent
EOF

Comprehensive Data Structure

Rich Dataset - Matching Elasticsearch Integration

Each event sent to Splunk contains comprehensive cryptographic asset information including certificates, TLS details, network information, and TYCHON intelligence data.

Key Data Fields in Each Event

🔐 X.509 Certificate Data

  • x509_subject_common_name
  • x509_issuer_common_name
  • x509_validity_not_before / x509_validity_not_after
  • x509_public_key_algorithm / x509_public_key_size
  • x509_public_key_curve
  • x509_subject_alternative_names_dns
  • hash_sha1_certificate / hash_sha256_certificate

🔒 TLS/SSL Information

  • tls_server_cipher / tls_server_protocol_version
  • tls_server_negotiated_group
  • cipher_suite / key_length_bits
  • ephemeral_key_length_bits
  • alpn_protocol / session_id
  • compression_method / is_preferred
  • extended_master_secret_supported

🌐 Network Information

  • server_address / server_port
  • server_domain
  • network_transport / network_protocol
  • target_host / target_domain
  • port / protocol

🔍 TYCHON Intelligence

  • tychon_cipher_negotiation (full object)
  • tychon_cipher_intelligence
  • observer.hostname / observer.version
  • observer.os.name / observer.architecture
  • observer.bigfix_client_installed / observer.bigfix_client_id
  • event_type (cipher_suite_discovered)

Sample Event Structure

{
  "@timestamp": "2025-09-11T18:02:29Z",
  "event_type": "cipher_suite_discovered",
  "server_address": "github.com",
  "server_port": 443,
  "cipher_suite": "TLS_AES_128_GCM_SHA256",
  "tls_server_cipher": "TLS_AES_128_GCM_SHA256",
  "tls_server_protocol_version": "TLSv1.3",
  "key_length_bits": 128,
  "x509_subject_common_name": "github.com",
  "x509_issuer_common_name": "DigiCert TLS Hybrid ECC SHA384 2020 CA1",
  "x509_validity_not_after": "2025-03-10T23:59:59.000Z",
  "x509_public_key_algorithm": "ECDSA",
  "x509_public_key_size": 256,
  "x509_public_key_curve": "P-256",
  "observer": {
    "hostname": "scanner01",
    "vendor": "TYCHON",
    "version": "1.0.48",
    "os": {"name": "linux", "platform": "ubuntu"}
  },
  "tychon_cipher_negotiation": { /* complete cipher details */ },
  "tychon_cipher_intelligence": { /* security analysis */ }
}

Splunk Data Models & Field Extraction

Field Extraction (props.conf)

# TYCHON Quantum Readiness source types configuration

[tychon-acdi:crypto_assets]
KV_MODE = json
AUTO_KV_JSON = true
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)
TRUNCATE = 100000
TIME_PREFIX = "timestamp"\s*:\s*"
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N%z
MAX_TIMESTAMP_LOOKAHEAD = 30
category = Application
description = TYCHON Quantum Readiness crypto assets in NDJSON format

# Field aliases for common searches (updated for comprehensive data structure)
FIELDALIAS-certscanner_host = observer.hostname AS host
FIELDALIAS-certscanner_dest = server_address AS dest_ip, server_port AS dest_port
FIELDALIAS-certscanner_cert_cn = x509_subject_common_name AS cert_subject_cn
FIELDALIAS-certscanner_cert_issuer = x509_issuer_common_name AS cert_issuer_cn
FIELDALIAS-certscanner_cipher = cipher_suite AS cipher_name
FIELDALIAS-certscanner_tls = tls_server_cipher AS tls_cipher, tls_server_protocol_version AS tls_version

# Calculated fields
EVAL-cert_expires_days = if(isnotnull(certificate_days_until_expiry), certificate_days_until_expiry, null())
EVAL-cert_status_severity = case(certificate_status="expired", "critical", certificate_status="expiring_soon", "high", certificate_status="expiring_warning", "medium", certificate_status="valid", "low", "unknown")
EVAL-pqc_risk_level = if(pqc_vulnerable==true, "high", "low")

[tychon-acdi:scan_report]  
KV_MODE = json
AUTO_KV_JSON = true
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)
TIME_PREFIX = "scan_metadata"\s*:\s*{\s*"timestamp"\s*:\s*"
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N%z
category = Application
description = TYCHON Quantum Readiness complete scan reports

[tychon-acdi:tychon]
KV_MODE = json  
AUTO_KV_JSON = true
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)
TIME_PREFIX = "tychon"\s*:\s*{\s*"timestamp"\s*:\s*"
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N%z
category = Application
description = TYCHON Quantum Readiness Tychon format with threat intelligence

Event Deduplication & Unique IDs

📋 Unique Event Identification

All TYCHON ACDI scan events include an event_id field containing a unique SHA256-based identifier for deduplication and asset tracking across multiple scans.

Event ID Schema by Asset Type

Asset Type Unique ID Components Deduplication Strategy
cipher_suite host + port + cipher_suite + protocol + observer_id Latest cipher discovery per host/port
ssh_host_key host + port + key_type + fingerprint + observer_id Latest SSH key per host/port
certificate host + port + serial_number + sha256_fingerprint + observer_id Latest certificate per host/port
filesystem_certificate serial_number + sha256_fingerprint + file_path + observer_id Latest filesystem scan per file
process_crypto_library process_id + library_name + library_path + file_version + observer_id Latest library scan per process
vpn_client client_name + vendor + install_path + observer_id Latest VPN client discovery
ipsec_tunnel tunnel_name + implementation + observer_id Latest IPSec tunnel discovery
outlook_archive file_path + file_type + sha256_hash + observer_id Latest archive scan per file
quantum_readiness system_type + criticality_level + overall_score + observer_id Latest quantum assessment per system

Deduplication SPL Queries

Latest Events by Asset Type
sourcetype=certscanner:* asset_type=cipher_suite
| stats latest(_time) as latest_time, latest(*) as * by event_id
| eval _time=latest_time
Latest Crypto Libraries per Observer
sourcetype=certscanner:* asset_type=crypto_library
| stats latest(_time) as latest_time, latest(*) as * by event_id, observer.id
| eval _time=latest_time
Latest Host Summaries
sourcetype=certscanner:* asset_type=host_summary
| stats latest(_time) as latest_time, latest(*) as * by server_address, server_port
| eval _time=latest_time
Dashboard Deduplication Pattern
sourcetype=certscanner:*
| stats latest(_time) as latest_time, latest(*) as * by event_id, observer.id
| eval _time=latest_time
| stats dc(event_id) as unique_assets by asset_type

💡 Best Practice: Observer-Based Deduplication

Always include observer.id in deduplication queries to maintain separate asset inventories per scanning system. This ensures accurate asset counts in distributed environments.

Complete Data Schema

📊 Comprehensive Field Reference

All TYCHON ACDI scan events include standardized fields for consistent analytics and correlation across asset types.

Common Fields (All Event Types)

Field Name Type Description Example
event_id string Unique SHA256-based identifier for deduplication a1b2c3d4e5f6789a
@timestamp datetime Event ingestion timestamp (ISO 8601) 2024-03-15T14:30:45Z
scan_timestamp datetime Original scan execution timestamp 2024-03-15T14:28:12Z
scan_type string Type of scan performed local, remote, memory
scanner_version string TYCHON scanner version 1.0.61
event_type string Specific event category cipher_suite_discovered, process_crypto_library, keystore_certificate_discovered, keystore_discovered
asset_type string High-level asset classification cipher_suite, crypto_library, certificate, keystore_certificate, keystore
observer object Scanning system information (ECS compliant) {"hostname": "scanner01", "id": "uuid"}
tags array User-defined scan tags (optional) ["production", "web-tier"]

Crypto Library Events (asset_type=crypto_library)

Field Name Type Description Example
library_name string Library filename openssl.exe, bcrypt.dll
library_file_version string File version (corrected for Windows system libs) 10.0.22000.1455, 3.0.8
library_path string Full filesystem path C:\\Windows\\System32\\bcrypt.dll
library_product_name string Product name from version info Microsoft® Windows® Operating System
library_company string Company/vendor name Microsoft Corporation, OpenSSL Project
process_id number Process ID using the library 1234
process_name string Process executable name nginx.exe, java.exe
process_path string Full process executable path C:\\Program Files\\nginx\\nginx.exe

Vulnerability Assessment Fields

Field Name Type Description Example
vulnerable boolean Has known vulnerabilities true, false
risk_level string Vulnerability severity level critical, high, medium, low
risk_reason string Human-readable vulnerability description Vulnerable to Heartbleed attack
cve_list array Associated CVE identifiers ["CVE-2014-0160", "CVE-2014-0346"]
fixed_in_version string Version where vulnerabilities are fixed 1.0.1g, 3.0.9
vulnerability_assessed_at datetime Vulnerability assessment timestamp 2024-03-15T14:30:45Z

Post-Quantum & Compliance Fields

Field Name Type Description Example
pqc_support boolean Post-quantum cryptography support true, false
fips_validated boolean FIPS 140-2 validation status true, false

Certificate Events (asset_type=certificate)

Field Name Type Description Example
x509_serial_number string Certificate serial number 03:e8:f9:78:6c:6d:26:9c
x509_subject_common_name string Certificate subject CN www.example.com
x509_issuer_common_name string Certificate issuer CN DigiCert Global Root CA
x509_validity_not_before datetime Certificate valid from date 2024-01-01T00:00:00Z
x509_validity_not_after datetime Certificate expiration date 2025-01-01T00:00:00Z
x509_public_key_algorithm string Public key algorithm RSA, ECDSA, Ed25519
x509_public_key_size number Public key size in bits 2048, 256, 384
hash_sha256_certificate string Certificate SHA256 fingerprint a1b2c3d4e5f6...

Cipher Suite Events (asset_type=cipher_suite)

Field Name Type Description Example
server_address string Target server hostname/IP example.com, 192.168.1.100
server_port number Target server port 443, 22, 8443
cipher_suite string Negotiated cipher suite name TLS_AES_256_GCM_SHA384
protocol string TLS/SSL protocol version TLSv1.3, TLSv1.2
key_length_bits number Symmetric key length 256, 128
ephemeral_key_length_bits number Ephemeral key exchange length 2048, 256
negotiated_group string Key exchange group/curve X25519, secp256r1
tls_server_cipher string ECS-compliant cipher field ECDHE-RSA-AES256-GCM-SHA384
tls_server_protocol_version string ECS-compliant protocol field 1.3, 1.2

VPN & Network Asset Fields

Field Name Type Description Example
vpn_client_name string VPN client software name OpenVPN, Cisco AnyConnect
vpn_client_vendor string VPN software vendor OpenVPN Inc., Cisco Systems
vpn_client_version string VPN client version 2.6.5, 4.10.7
ipsec_tunnel_name string IPSec tunnel identifier site-to-site-tunnel-1
ipsec_implementation string IPSec implementation type strongSwan, Windows IPSec
vpn_security_score number VPN security assessment score (0-100) 85, 42, 91
vpn_risk_level string VPN security risk level low, medium, high, critical
vpn_pqc_vulnerable boolean VPN vulnerable to quantum attacks true, false
vpn_known_vulnerabilities string Comma-separated list of CVE IDs CVE-2023-1234,CVE-2023-5678
vpn_encryption_algorithm string VPN encryption algorithm in use AES-256-GCM, ChaCha20-Poly1305
vpn_authentication_algorithm string VPN authentication algorithm SHA-256, SHA-384
vpn_dns_leak_protection boolean DNS leak protection enabled true, false
vpn_kill_switch boolean Kill switch/network lock enabled true, false
ipsec_security_score number IPSec security assessment score (0-100) 78, 91, 34
ipsec_risk_level string IPSec security risk level low, medium, high, critical
ipsec_pqc_vulnerable boolean IPSec vulnerable to quantum attacks true, false
ipsec_encryption_algorithm string IPSec encryption algorithm AES-256-GCM, AES-128-CBC
ipsec_dh_group string Diffie-Hellman group used modp2048, secp256r1, x25519
ssh_host_key_type string SSH host key algorithm rsa, ecdsa, ed25519
ssh_host_key_fingerprint_sha256 string SSH host key SHA256 fingerprint SHA256:nThbg6k...

Keystore Certificate Events (asset_type=keystore_certificate)

Field Name Type Description Example
keystore_path string Full path to the keystore file /etc/ssl/server.p12, C:\\Certs\\app.pfx
keystore_type string Keystore format type PKCS12, JKS, Windows Certificate Store, macOS Keychain
keystore_accessible boolean Whether keystore was accessible for scanning true, false
keystore_requires_auth boolean Whether keystore requires authentication true, false
certificate_subject string Certificate subject DN CN=app.company.com, O=Company Inc
certificate_issuer string Certificate issuer DN CN=DigiCert Global Root CA
certificate_alias string Certificate alias/friendly name in keystore server-cert, app-signing-key
certificate_has_private_key boolean Whether certificate has associated private key true, false
certificate_not_after datetime Certificate expiration date 2025-12-31T23:59:59Z
vulnerability_is_vulnerable boolean Whether certificate has security vulnerabilities true, false
pqc_vulnerable boolean Whether certificate is vulnerable to quantum attacks true, false

Keystore Summary Events (asset_type=keystore)

Field Name Type Description Example
keystore_path string Full path to the keystore file /etc/ssl/cacerts, C:\\Windows\\System32\\Cert\\CurrentUser\\My
keystore_type string Keystore format type PKCS12, JKS, Windows Certificate Store, macOS Keychain
keystore_cert_count number Total number of certificates in keystore 15, 127, 3
keystore_stats_vulnerable_certificates number Number of vulnerable certificates in keystore 0, 3, 12
keystore_stats_pqc_vulnerable_certificates number Number of post-quantum vulnerable certificates 8, 15, 127
keystore_stats_expired_certificates number Number of expired certificates in keystore 0, 1, 5
keystore_owner string File owner (UNIX systems) root, www-data, ubuntu
keystore_permissions string File permissions (UNIX systems) 600, 644, 755
file_size number Keystore file size in bytes 4096, 65536, 1048576

Quantum Readiness Assessment Fields

Field Name Type Description Example
quantum_overall_score number Overall quantum readiness score (0-100) 75, 45, 92
quantum_system_type string System classification type enterprise_server, endpoint, iot_device
quantum_criticality_level string System criticality classification critical, high, medium, low
quantum_recommendations array Quantum readiness recommendations ["Upgrade OpenSSL to 3.x", "Implement hybrid certificates"]

Host Summary Events (asset_type=host_summary)

Provides a comprehensive one-line summary per host/port combination, aggregating certificates, cipher suites, and quantum readiness assessments.

Field Name Type Description Example
server_address string Target server hostname/IP example.com, 192.168.1.100
server_port number Target server port 443, 993, 8443
certificate_subject string Primary certificate Common Name *.example.com, api.service.com
certificate_issuer string Certificate Issuer Common Name Let's Encrypt Authority X3, DigiCert SHA2
certificate_expiry string Certificate expiration date (ISO 8601) 2024-12-15T23:59:59Z
certificate_signature_algorithm string Certificate signature algorithm RSA-SHA256, ECDSA-SHA256
cipher_count number Total number of supported cipher suites 15, 42, 8
supported_tls_versions array Supported TLS protocol versions ["TLSv1.2", "TLSv1.3"]
supported_kx_groups array Supported key exchange groups/curves ["X25519", "P-256", "X25519MLKEM768"]
supported_kx_algorithms array Key exchange algorithm types ["ECDHE_ECDSA", "N/A (TLS 1.3)"]
quantum_ready_kx boolean Host supports quantum-safe key exchange true, false
quantum_ready_cipher boolean Host supports quantum-safe cipher algorithms true, false
quantum_ready_cert boolean Host certificate uses quantum-safe algorithms true, false
quantum_ready boolean Overall quantum readiness (all components) true, false

📝 Usage Notes

  • • All datetime fields use ISO 8601 format with UTC timezone
  • • Boolean fields are represented as "true"/"false" strings in Splunk
  • • Array fields are JSON-encoded when present
  • • The observer object follows ECS (Elastic Common Schema) specification
  • • Certificate fields use x509_* prefix following ECS conventions
  • • TLS fields use tls_server_* prefix for ECS compliance
  • • Use event_id for deduplication and asset tracking across scans

Custom Data Model

TYCHON Quantum Readiness Data Model (datamodels.conf)

[TYCHON_ACDI_Crypto_Assets]
acceleration = true
acceleration.earliest_time = -30d
acceleration.max_time = 0

# Root search for all TYCHON Quantum Readiness data
search = sourcetype=tychon-acdi:* | eval asset_id=coalesce(tychon_source_id, certificate.source_id, tychon.certificate.source_id)

# Certificate lifecycle dataset
[TYCHON_ACDI_Crypto_Assets.Certificate_Lifecycle]
search = sourcetype=tychon-acdi:* asset_type=certificate | eval cert_id=asset_id, days_to_expiry=certificate_days_until_expiry

# Cipher analysis dataset  
[TYCHON_ACDI_Crypto_Assets.Cipher_Analysis]
search = sourcetype=tychon-acdi:* (asset_type=cipher OR isnotnull(cipher_info.algorithm)) | eval cipher_name=coalesce(cipher_info.full_name, tls.cipher)

# Security assessments dataset
[TYCHON_ACDI_Crypto_Assets.Security_Assessment]
search = sourcetype=tychon-acdi:* | eval risk_score=security_score, risk_level=security_level

Searches & Alerting

Certificate Lifecycle Monitoring

Certificate Monitoring

index=main sourcetype=tychon-acdi:crypto_assets x509_subject_common_name=*
| eval cert_expires_in = round((strptime(x509_validity_not_after, "%Y-%m-%dT%H:%M:%S") - now()) / 86400)
| eval severity = case(cert_expires_in < 0, "EXPIRED", cert_expires_in <= 7, "CRITICAL", cert_expires_in <= 30, "WARNING", "OK")
| table _time, server_address, server_port, x509_subject_common_name, x509_issuer_common_name, 
        x509_validity_not_after, cert_expires_in, severity
| sort cert_expires_in asc

Schedule: Every 5 minutes | Action: Email security team

Certificate Expiry Warning (30 days)

sourcetype=certscanner:* 
| where certificate_days_until_expiry <= 30 AND certificate_days_until_expiry > 0
| dedup certscanner_source_id
| eval expiry_category=case(
    certificate_days_until_expiry <= 7, "Critical (1 week)",
    certificate_days_until_expiry <= 14, "High (2 weeks)", 
    certificate_days_until_expiry <= 30, "Medium (1 month)")
| table _time, host, dest_ip, dest_port, cert_subject_cn, cert_issuer_cn,
        certificate_days_until_expiry, expiry_category, x509.not_after
| sort certificate_days_until_expiry asc

Schedule: Daily at 8 AM | Action: Slack notification

Certificate Inventory & Tracking

sourcetype=certscanner:* asset_type=certificate
| stats earliest(_time) as first_seen, latest(_time) as last_seen, 
        dc(_time) as scan_count,
        latest(certificate_status) as current_status,
        latest(certificate_days_until_expiry) as days_until_expiry,
        latest(security_score) as security_score,
        latest(x509.not_after) as expiry_date
        by certscanner_source_id, cert_subject_cn, cert_issuer_cn, host, dest_ip
| eval first_seen=strftime(first_seen, "%Y-%m-%d %H:%M"),
       last_seen=strftime(last_seen, "%Y-%m-%d %H:%M"),
       expiry_date=strftime(strptime(expiry_date, "%Y-%m-%dT%H:%M:%S"), "%Y-%m-%d")
| sort security_score asc, days_until_expiry asc

Cipher Security Analysis

TLS Cipher Security Analysis

index=main sourcetype=tychon-acdi:crypto_assets event_type="cipher_suite_discovered"
| eval weak_cipher = case(
    match(cipher_suite, "(?i)(3des|des|rc4|md5)"), "WEAK_ALGORITHM",
    key_length_bits < 128, "WEAK_KEY_SIZE", 
    match(tls_server_protocol_version, "(?i)(ssl|tls1\.0|tls1\.1)"), "WEAK_PROTOCOL",
    "ACCEPTABLE")
| where weak_cipher != "ACCEPTABLE"
| table _time, server_address, server_port, cipher_suite, tls_server_protocol_version,
        key_length_bits, negotiated_group, weak_cipher
| sort _time desc

Schedule: Every 15 minutes | Action: Create incident in ServiceNow

Post-Quantum Cryptography Assessment

sourcetype=certscanner:* pqc_vulnerable=true
| stats count as vulnerable_instances,
        dc(certscanner_source_id) as unique_assets,
        values(cipher_info.algorithm) as vulnerable_algorithms,
        values(host) as affected_hosts,
        latest(security_score) as avg_security_score
        by dest_ip, dest_port, cipher_suite
| eval pqc_risk="HIGH", 
       remediation="Migrate to PQC-ready cipher suites"
| sort vulnerable_instances desc

Cipher Suite Distribution

sourcetype=certscanner:* 
| stats count as usage_count,
        dc(host) as host_count,
        dc(dest_ip) as target_count,
        avg(security_score) as avg_security_score,
        values(cipher_info.key_size) as key_sizes
        by cipher_info.algorithm, cipher_info.key_exchange, cipher_info.hash
| eval cipher_summary=cipher_info.algorithm + "-" + cipher_info.key_exchange + "-" + cipher_info.hash
| sort usage_count desc

Security Operations Searches

Security Score Trending

sourcetype=certscanner:* 
| bin _time span=1d
| stats avg(security_score) as avg_score,
        min(security_score) as min_score,
        max(security_score) as max_score,
        dc(certscanner_source_id) as asset_count,
        count(eval(security_score < 50)) as high_risk_count,
        count(eval(pqc_vulnerable==true)) as pqc_vulnerable_count
        by _time
| eval pqc_vulnerable_pct=round((pqc_vulnerable_count/asset_count)*100, 2),
       high_risk_pct=round((high_risk_count/asset_count)*100, 2)
| sort _time

Asset Discovery Summary

sourcetype=certscanner:* 
| stats count as total_discoveries,
        dc(certscanner_source_id) as unique_assets,
        dc(host) as scanning_hosts,
        dc(dest_ip) as target_servers,
        values(asset_type) as asset_types,
        earliest(_time) as first_scan,
        latest(_time) as last_scan
| eval scan_duration=tostring(last_scan-first_scan, "duration"),
       discovery_rate=round(total_discoveries/(last_scan-first_scan)*86400, 2) + " discoveries/day"
| table unique_assets, total_discoveries, scanning_hosts, target_servers, 
        asset_types, discovery_rate, scan_duration

High-Risk Asset Report

sourcetype=certscanner:* 
| where security_score < 50 OR certificate_status="expired" OR pqc_vulnerable==true
| dedup certscanner_source_id
| eval risk_reasons=mvappend(
    if(security_score < 30, "Critical Security Score (" + security_score + ")", null()),
    if(certificate_status="expired", "Expired Certificate", null()),
    if(certificate_status="expiring_soon", "Certificate Expiring Soon", null()),
    if(pqc_vulnerable==true, "PQC Vulnerable", null()),
    if(match(cipher_info.algorithm, "(?i)(3des|des|rc4)"), "Weak Algorithm", null())
)
| table _time, host, dest_ip, dest_port, asset_type, cert_subject_cn,
        cipher_suite, security_score, certificate_status, 
        certificate_days_until_expiry, pqc_vulnerable, risk_reasons
| sort security_score asc

Splunk Dashboards

Executive Security Dashboard

Dashboard XML (Simple XML)

<dashboard>
  <label>TYCHON Quantum Readiness - Executive Crypto Security Overview</label>
  <description>High-level cryptographic security posture metrics</description>
  
  <row>
    <panel>
      <single>
        <title>Total Crypto Assets</title>
        <search>
          <query>
            sourcetype=certscanner:* 
            | stats dc(certscanner_source_id) as asset_count
          </query>
          <earliest>-7d@d</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="colorBy">value</option>
        <option name="colorMode">none</option>
      </single>
    </panel>
    
    <panel>
      <single>
        <title>Average Security Score</title>
        <search>
          <query>
            sourcetype=certscanner:* 
            | stats avg(security_score) as avg_score
            | eval avg_score=round(avg_score, 1)
          </query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="rangeColors">["0xDC4E41","0xF1813F","0x53A051"]</option>
        <option name="rangeValues">[50,80]</option>
      </single>
    </panel>
    
    <panel>
      <single>
        <title>PQC Vulnerable Assets</title>
        <search>
          <query>
            sourcetype=certscanner:* pqc_vulnerable=true
            | stats latest(_time) as latest_time, latest(*) as * by event_id, observer.id
            | eval _time=latest_time
            | stats dc(event_id) as pqc_vulnerable_count
          </query>
          <earliest>-7d@d</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="colorBy">value</option>
        <option name="rangeColors">["0x53A051","0xF1813F","0xDC4E41"]</option>
        <option name="rangeValues">[10,50]</option>
      </single>
    </panel>
  </row>
  
  <row>
    <panel>
      <chart>
        <title>Security Level Distribution</title>
        <search>
          <query>
            sourcetype=certscanner:*
            | stats latest(_time) as latest_time, latest(*) as * by event_id, observer.id
            | eval _time=latest_time
            | stats dc(event_id) as count by security_level
            | eval security_level=upper(security_level)
          </query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.chart.showPercent">true</option>
        <option name="charting.legend.placement">bottom</option>
      </chart>
    </panel>
    
    <panel>
      <chart>
        <title>Certificate Status Breakdown</title>
        <search>
          <query>
            sourcetype=certscanner:* asset_type=certificate
            | stats latest(_time) as latest_time, latest(*) as * by event_id, observer.id
            | eval _time=latest_time
            | stats dc(event_id) as count by certificate_status
            | eval certificate_status=case(
                certificate_status="valid", "Valid",
                certificate_status="expiring_warning", "Expiring (90 days)",
                certificate_status="expiring_soon", "Expiring (30 days)", 
                certificate_status="expired", "EXPIRED",
                true(), "Unknown")
          </query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">column</option>
        <option name="charting.axisTitleY.text">Certificate Count</option>
      </chart>
    </panel>
  </row>
</dashboard>

Security Operations Dashboard

Key Operational Searches

Real-time Certificate Events
sourcetype=certscanner:* | timechart span=1h count by certificate_status
Top Cipher Algorithms by Usage
sourcetype=certscanner:* | top limit=10 cipher_info.algorithm by dest_ip
Geographic Security Distribution
sourcetype=certscanner:* | iplocation dest_ip | stats avg(security_score) as avg_score by Country | geostats latfield=lat longfield=lon avg_score
Host Coverage Analysis
sourcetype=certscanner:*
| stats latest(_time) as latest_time, latest(*) as * by event_id, observer.id
| eval _time=latest_time
| stats dc(event_id) as assets, latest(_time) as last_scan by observer.hostname
| eval last_scan=strftime(last_scan, "%Y-%m-%d %H:%M")
| sort assets desc

Advanced Analytics & Reporting

Machine Learning Anomaly Detection

# Detect unusual cipher patterns using MLTK
sourcetype=tychon-acdi:* 
| eval hour=strftime(_time, "%H"), 
       day_of_week=strftime(_time, "%a")
| stats count as cipher_count,
        avg(security_score) as avg_security_score
        by hour, day_of_week, cipher_info.algorithm, dest_ip
| fit DensityFunction cipher_count avg_security_score into crypto_baseline_model
| apply crypto_baseline_model
| where 'ProbabilityDensity(cipher_count,avg_security_score)' < 0.01
| table _time, dest_ip, cipher_info.algorithm, cipher_count, avg_security_score

Compliance Reporting

# Generate compliance report for security frameworks
sourcetype=tychon-acdi:* 
| eval compliance_status=case(
    security_score >= 80 AND pqc_vulnerable==false AND certificate_status="valid", "COMPLIANT",
    security_score >= 60 AND certificate_status!="expired", "PARTIAL",
    true(), "NON_COMPLIANT"
)
| stats count as asset_count,
        avg(security_score) as avg_score,
        count(eval(compliance_status="COMPLIANT")) as compliant_count,
        count(eval(compliance_status="NON_COMPLIANT")) as non_compliant_count
        by host, asset_type
| eval compliance_percentage=round((compliant_count/asset_count)*100, 2)
| sort compliance_percentage asc

Risk Heat Map

# Create risk heat map by host and service
sourcetype=tychon-acdi:* 
| stats avg(security_score) as avg_security_score,
        count(eval(certificate_status="expired")) as expired_certs,
        count(eval(pqc_vulnerable==true)) as pqc_vulnerable_assets,
        dc(certscanner_source_id) as total_assets
        by host, dest_ip, dest_port
| eval risk_multiplier=1 + (expired_certs*0.5) + (pqc_vulnerable_assets*0.3),
       adjusted_risk_score=round(avg_security_score/risk_multiplier, 1),
       service=dest_ip + ":" + dest_port
| where total_assets > 0
| sort adjusted_risk_score asc

Splunk Capacity Planning for Enhanced Data Collection

Critical: Splunk's Time-Series Only Architecture

Unlike Elasticsearch, Splunk operates as a time-series database where every scan creates a new event. There are no upsert capabilities - each discovery of a certificate, cipher suite, VPN client, or IPSec policy creates a separate timestamped record. This architecture significantly impacts data volume and licensing costs.

Key Implications:

  • No data deduplication: Every scan iteration creates new events
  • Linear volume growth: Daily data volume = scan frequency × discovered assets
  • License consumption: All data counts toward daily ingestion limits
  • Storage costs: Retention period directly multiplies storage requirements

Data Volume Analysis by Asset Type

Per-Asset Data Sizes (NDJSON Format)

Asset Type Size per Event Fields Count Example Discovery Rate
X.509 Certificate 2.8 KB 45+ 2-5 per host/port combination
TLS Cipher Suite 1.2 KB 25+ 10-40 per TLS service
Crypto Library 1.8 KB 30+ 5-15 per system scan
VPN Client Instance 2.1 KB 35+ 1-3 per endpoint
IPSec Policy 1.5 KB 28+ 2-8 per VPN gateway
SSH Host Key 1.4 KB 22+ 3-6 per SSH service
Network Service 0.8 KB 18+ Variable per port scan

Daily Volume Projections by Environment Size

Environment Endpoints Scan Frequency Assets per Scan Daily Volume Monthly Volume
Small 100 4x daily ~25/endpoint 180 MB 5.4 GB
Medium 1,000 6x daily ~30/endpoint 3.2 GB 96 GB
Large 10,000 8x daily ~35/endpoint 50 GB 1.5 TB
Enterprise 50,000 12x daily ~40/endpoint 430 GB 13 TB
Volume Calculation Formula
Daily Volume = Endpoints × Scan Frequency × Avg Assets per Endpoint × Avg Event Size

*Actual volumes may vary based on network topology, service diversity, and certificate chain complexity

Splunk Licensing Cost Analysis

Daily Ingestion vs. Splunk License Tiers

Splunk License Daily Limit Approx. Cost/Year Endpoints Supported Usage Scenario
Splunk Free 500 MB $0 ~280 (4x daily) Testing and proof of concept only
Splunk Cloud 5GB 5 GB ~$108,000 ~1,500 Small to medium enterprise
Splunk Cloud 20GB 20 GB ~$360,000 ~6,000 Medium to large enterprise
Splunk Cloud 100GB 100 GB ~$1,440,000 ~11,000 Large enterprise
Splunk Cloud 500GB 500 GB ~$5,760,000 ~35,000 Global enterprise
⚠️ License Overage Penalties
  • Warning threshold: 80% of daily license quota
  • Search blocking: Occurs at 110% of daily limit
  • Overage fees: $150-200 per GB above licensed capacity
  • Automatic upgrades: May trigger forced license tier increases

Cost Impact by Data Collection Strategy

💰 Reduced Frequency Scanning

Strategy: Scan critical assets 2-4x daily, others weekly

Volume Reduction: 60-70% compared to uniform frequency

License Impact: Can fit larger environments in smaller tiers

Trade-off: Reduced visibility into rapid changes

📊 Summary Indexing

Strategy: Pre-aggregate daily/weekly statistics

Volume Reduction: 90%+ for historical trend analysis

License Impact: Minimal ongoing ingestion

Trade-off: Loss of granular event detail

⏱️ Retention Optimization

Strategy: 30-day hot, 90-day warm, 1-year cold

Volume Impact: Doesn't affect ingestion licensing

Storage Cost: Significant reduction in cloud storage

Trade-off: Slower access to historical data

🎯 Selective Asset Monitoring

Strategy: Focus on internet-facing and critical systems

Volume Reduction: 40-60% depending on environment

License Impact: Proportional reduction in daily ingestion

Trade-off: Incomplete asset visibility

Cloud Storage and Infrastructure Scaling

Splunk Cloud Storage Cost Analysis

Retention Period Small (5GB/day) Medium (20GB/day) Large (100GB/day) Enterprise (500GB/day)
30 Days 150 GB
+$3,600/year		 600 GB
+$14,400/year		 3 TB
+$72,000/year		 15 TB
+$360,000/year
90 Days 450 GB
+$10,800/year		 1.8 TB
+$43,200/year		 9 TB
+$216,000/year		 45 TB
+$1,080,000/year
1 Year 1.8 TB
+$43,200/year		 7.3 TB
+$175,200/year		 36.5 TB
+$876,000/year		 182.5 TB
+$4,380,000/year
3 Years 5.5 TB
+$132,000/year		 22 TB
+$528,000/year		 110 TB
+$2,640,000/year		 550 TB
+$13,200,000/year
💾 Storage Cost Assumptions
  • Hot Storage: $24/TB/month (first 30 days)
  • Warm Storage: $12/TB/month (31-90 days)
  • Cold Storage: $6/TB/month (90+ days)
  • Compression ratio: ~70% for NDJSON time-series data

Cost Optimization Strategies

Summary Indexing for Long-term Analytics

Summary Indexing Strategy

Pre-aggregate crypto asset data into summary indices to reduce long-term storage costs while maintaining analytical capabilities.

Daily Security Score Summary
# Create daily security score aggregations
index=main sourcetype=tychon-acdi:*
| bucket _time span=1d
| stats avg(security_score) as avg_score,
        min(security_score) as min_score,
        max(security_score) as max_score,
        count(eval(pqc_vulnerable==true)) as pqc_vulnerable_count,
        count(eval(certificate_status="expired")) as expired_cert_count,
        dc(certscanner_source_id) as unique_assets
        by _time, host, asset_type
| eval summary_type="daily_security_metrics"
| collect index=summary_crypto_security

Run daily via scheduled search. Reduces volume by ~95% while maintaining trend visibility.

Weekly Certificate Lifecycle Summary
# Aggregate certificate lifecycle events by week
index=main sourcetype=tychon-acdi:* asset_type=certificate
| bucket _time span=1w
| stats first(x509_validity_not_after) as expiry_date,
        avg(certificate_days_until_expiry) as avg_days_to_expiry,
        values(certificate_status) as status_changes,
        count as total_observations,
        latest(security_score) as latest_score
        by _time, certscanner_source_id, cert_subject_cn
| eval summary_type="weekly_certificate_lifecycle"
| collect index=summary_crypto_certificates

Run weekly. Compresses ~168 hourly observations into 1 summary record.

Monthly Cipher Distribution Summary
# Monthly cipher algorithm and usage patterns
index=main sourcetype=tychon-acdi:*
| bucket _time span=1mon
| stats count as usage_count,
        avg(security_score) as avg_security_score,
        dc(server_address) as unique_servers,
        values(tls_server_protocol_version) as tls_versions
        by _time, cipher_suite, key_length_bits
| eval summary_type="monthly_cipher_distribution",
       month_year=strftime(_time, "%Y-%m")
| collect index=summary_crypto_ciphers

Run monthly. Provides long-term cipher evolution trends with 99%+ space savings.

Index Lifecycle Management (ILM) Configuration

# indexes.conf - Crypto asset data retention strategy

[main]
# Raw crypto asset events - optimized for recent analysis
homePath = $SPLUNK_DB/db/main/db
coldPath = $SPLUNK_DB/db/main/colddb
thawedPath = $SPLUNK_DB/db/main/thaweddb
maxDataSize = auto_high_volume
maxHotBuckets = 10
maxWarmDBCount = 300
# Hot: 7 days, Warm: 83 days, Cold: 270 days (1 year total)
maxHotSpanSecs = 604800
maxWarmDBCount = 300
frozenTimePeriodInSecs = 31536000

[summary_crypto_security]
# Daily summaries - longer retention for trending
homePath = $SPLUNK_DB/db/summary_security/db
coldPath = $SPLUNK_DB/db/summary_security/colddb
maxDataSize = auto
# 3 year retention for compliance and trend analysis
frozenTimePeriodInSecs = 94608000
maxHotSpanSecs = 2592000  # 30 days hot
maxWarmDBCount = 100

[summary_crypto_certificates]
# Certificate lifecycle summaries
homePath = $SPLUNK_DB/db/summary_certs/db
coldPath = $SPLUNK_DB/db/summary_certs/colddb
maxDataSize = auto
# 5 year retention for certificate management
frozenTimePeriodInSecs = 157680000
maxHotSpanSecs = 7776000  # 90 days hot

[summary_crypto_ciphers]
# Cipher evolution summaries
homePath = $SPLUNK_DB/db/summary_ciphers/db
coldPath = $SPLUNK_DB/db/summary_ciphers/colddb
maxDataSize = auto
# 7 year retention for cryptographic compliance
frozenTimePeriodInSecs = 220752000
maxHotSpanSecs = 15552000  # 180 days hot

Volume Reduction Through Strategic Retention

Index Strategy Retention Period Volume Reduction Cost Impact Use Case
Raw Events Only 1 Year 0% (baseline) $$$$$ Real-time operations, forensics
Raw + Daily Summaries 90d raw + 3y summary 75% $$$$ Balanced operations + trends
Raw + Weekly Summaries 30d raw + 2y summary 85% $$$ Cost-optimized with trends
Tiered Summaries 30d raw + multi-tier 92% $$ Maximum cost efficiency
Summary Only 5y aggregated data 97% $ Long-term compliance only
💡 Recommended Approach: Hybrid Strategy

Hot data: 30 days raw events for operational needs

Warm data: 90 days daily summaries for trend analysis

Cold data: 3+ years weekly/monthly summaries for compliance

Cost savings: 85-90% reduction vs. raw-only retention

Deployment Best Practices

Index Management

  • Index: Use dedicated security or certscanner index
  • Retention: 90 days for operational data, 1 year for compliance
  • Volume: ~100-500 MB/day per 1000 scanned assets
  • Acceleration: Enable for data models and common searches

Performance Optimization

  • Summary indexing: Pre-calculate daily/weekly metrics
  • Field extraction: Use INDEXED_EXTRACTIONS for high-volume
  • Bloom filters: Enable for frequently searched fields
  • Bucket optimization: Size buckets for time-based searches

Security & Access

  • Role-based access: Limit certificate data to security teams
  • Data masking: Mask sensitive certificate details if needed
  • Audit logging: Track access to cryptographic asset data
  • Integration security: Use SSL for HEC and API connections

Automation & Scheduling

  • Saved searches: Schedule certificate expiry reports
  • Alerting: Real-time notifications for critical findings
  • Report delivery: Automated PDF reports to stakeholders
  • API integration: REST API for external system integration

Sample SPL Queries

Certificate Lifecycle Analysis

# Track certificate changes over time
sourcetype=tychon-acdi:* asset_type=certificate
| eval cert_key=dest_ip + ":" + dest_port + ":" + cert_subject_cn
| stats values(_time) as scan_times,
        values(security_score) as security_scores,
        values(certificate_status) as statuses,
        values(certificate_days_until_expiry) as expiry_days
        by cert_key, certscanner_source_id
| eval lifecycle_events=mvcount(scan_times),
       score_variance=max(security_scores) - min(security_scores)
| where lifecycle_events > 1
| sort score_variance desc

Network Cipher Security Assessment

# Analyze cipher security across network segments
sourcetype=tychon-acdi:* 
| rex field=dest_ip "(?<network_segment>\d+\.\d+\.\d+)\.\d+"
| stats avg(security_score) as avg_score,
        count(eval(pqc_vulnerable==true)) as pqc_vulnerable,
        count(eval(security_score < 50)) as weak_crypto,
        values(cipher_info.algorithm) as algorithms,
        dc(dest_ip) as unique_hosts
        by network_segment
| eval pqc_risk_pct=round((pqc_vulnerable/unique_hosts)*100, 1),
       weak_crypto_pct=round((weak_crypto/unique_hosts)*100, 1)
| sort avg_score asc

Asset Discovery Timeline

# Track new asset discoveries
sourcetype=tychon-acdi:*
| stats earliest(_time) as first_seen by certscanner_source_id, asset_type, host, dest_ip
| eval days_since_discovery=round((now()-first_seen)/86400, 1)
| where days_since_discovery <= 7
| eval discovery_date=strftime(first_seen, "%Y-%m-%d %H:%M")
| table discovery_date, days_since_discovery, asset_type, host, dest_ip, certscanner_source_id
| sort first_seen desc