Comprehensive cryptographic asset monitoring and analysis in Splunk
TYCHON Quantum Readiness provides comprehensive cryptographic asset visibility in Splunk Enterprise through structured log ingestion, custom data models, and purpose-built searches and dashboards.
NDJSON and JSON log formats with structured field extraction
SPL queries for certificate lifecycle and cipher analysis
Executive and operational views with drill-down capabilities
# Generate NDJSON logs for Splunk monitoring
.\cryptographic-analyzer-windows-amd64.exe -host example.com -ports 443,22,8443 -cipherscan `
-outputformat flatndjson -output C:\var\log\cryptographic-analyzer\crypto-assets.ndjson
# Scheduled scanning with log rotation
.\cryptographic-analyzer-windows-amd64.exe -mode local -scanfilesystem -scanconnected -scanmemory `
-outputformat flatndjson -output C:\Program` Files\SplunkUniversalForwarder\var\log\cryptographic-analyzer\daily-scan.ndjson
# Generate NDJSON logs for Splunk monitoring
./cryptographic-analyzer-linux-x64 -host example.com -ports 443,22,8443 -cipherscan \
-outputformat flatndjson -output /var/log/cryptographic-analyzer/crypto-assets.ndjson
# Scheduled scanning with log rotation
./cryptographic-analyzer-linux-x64 -mode local -scanfilesystem -scanconnected -scanmemory \
-outputformat flatndjson -output /opt/splunk/var/log/cryptographic-analyzer/daily-scan.ndjson
# Generate NDJSON logs for Splunk monitoring
./cryptographic-analyzer-darwin-amd64 -host example.com -ports 443,22,8443 -cipherscan \
-outputformat flatndjson -output /var/log/cryptographic-analyzer/crypto-assets.ndjson
# Scheduled scanning with log rotation (no memory scanning on macOS)
./cryptographic-analyzer-darwin-amd64 -mode local -scanfilesystem -scanconnected \
-outputformat flatndjson -output /opt/splunk/var/log/cryptographic-analyzer/daily-scan.ndjson
# Monitor TYCHON Quantum Readiness NDJSON logs
[monitor:///var/log/cryptographic-analyzer/*.ndjson]
disabled = false
sourcetype = cryptographic-analyzer:crypto_assets
index = security
host_segment = 4
# Monitor JSON reports
[monitor:///opt/cryptographic-analyzer/reports/*.json]
disabled = false
sourcetype = cryptographic-analyzer:scan_report
index = security
host_segment = 4
# Monitor Tychon format logs
[monitor:///var/log/cryptographic-analyzer/*.tychon.ndjson]
disabled = false
sourcetype = cryptographic-analyzer:tychon
index = security
host_segment = 4
# Enable HEC in Splunk Web UI:
# Settings > Data Inputs > HTTP Event Collector > New Token
# Name: tychon-crypto-assets
# Source type: tychon-acdi:crypto_assets
# Index: tychon-crypto
# Enable indexer acknowledgment: Recommended
# Direct HEC integration with authentication token
.\cryptographic-analyzer-windows-amd64.exe -host example.com -ports 443,22,8443 -cipherscan `
-posttosplunk -splunkurl "https://splunk.company.com:8088" `
-splunktoken "YOUR_HEC_TOKEN_HERE" -splunkindex "tychon-crypto"
# Using environment variables for security
$env:SPLUNK_URL="https://splunk.company.com:8088"
$env:SPLUNK_TOKEN="YOUR_HEC_TOKEN_HERE"
$env:SPLUNK_INDEX="tychon-crypto"
.\cryptographic-analyzer-windows-amd64.exe -host example.com -cipherscan -posttosplunk
# Secure configuration storage (recommended for production)
.\cryptographic-analyzer-windows-amd64.exe -config `
-config-splunkurl "https://splunk.company.com:8088" `
-config-splunktoken "YOUR_HEC_TOKEN_HERE" `
-config-splunkindex "tychon-crypto"
# Use stored configuration
.\cryptographic-analyzer-windows-amd64.exe -host example.com -cipherscan -posttosplunk
# Direct HEC integration with authentication token
./cryptographic-analyzer-linux-x64 -host example.com -ports 443,22,8443 -cipherscan \
-posttosplunk -splunkurl "https://splunk.company.com:8088" \
-splunktoken "YOUR_HEC_TOKEN_HERE" -splunkindex "tychon-crypto"
# Using environment variables for security
export SPLUNK_URL="https://splunk.company.com:8088"
export SPLUNK_TOKEN="YOUR_HEC_TOKEN_HERE"
export SPLUNK_INDEX="tychon-crypto"
./cryptographic-analyzer-linux-x64 -host example.com -cipherscan -posttosplunk
# Secure configuration storage (recommended for production)
./cryptographic-analyzer-linux-x64 -config \
-config-splunkurl "https://splunk.company.com:8088" \
-config-splunktoken "YOUR_HEC_TOKEN_HERE" \
-config-splunkindex "tychon-crypto"
# Use stored configuration
./cryptographic-analyzer-linux-x64 -host example.com -cipherscan -posttosplunk
# Skip SSL verification for self-signed certificates (use with caution)
./cryptographic-analyzer-linux-x64 -host example.com -cipherscan -posttosplunk -insecure
# Direct HEC integration with authentication token
./cryptographic-analyzer-darwin-amd64 -host example.com -ports 443,22,8443 -cipherscan \
-posttosplunk -splunkurl "https://splunk.company.com:8088" \
-splunktoken "YOUR_HEC_TOKEN_HERE" -splunkindex "tychon-crypto"
# Using environment variables for security
export SPLUNK_URL="https://splunk.company.com:8088"
export SPLUNK_TOKEN="YOUR_HEC_TOKEN_HERE"
export SPLUNK_INDEX="tychon-crypto"
./cryptographic-analyzer-darwin-amd64 -host example.com -cipherscan -posttosplunk
# Secure configuration storage (recommended for production)
./cryptographic-analyzer-darwin-amd64 -config \
-config-splunkurl "https://splunk.company.com:8088" \
-config-splunktoken "YOUR_HEC_TOKEN_HERE" \
-config-splunkindex "tychon-crypto"
# Use stored configuration
./cryptographic-analyzer-darwin-amd64 -host example.com -cipherscan -posttosplunk
Content-Encoding: gzip), reducing payload size by 60–80%Reverse Proxy Note
Scan results are sent to Splunk HEC with gzip compression enabled by default (Content-Encoding: gzip). If your Splunk HEC endpoint sits behind a reverse proxy (nginx, HAProxy, AWS ALB, etc.) that strips or does not forward the Content-Encoding header, Splunk will receive compressed data it cannot decode and return HTTP 400 errors. Add -no-compress to disable compression in those environments.
# Full HEC configuration example
./cryptographic-analyzer-linux-x64 -host example.com -cipherscan \
-posttosplunk \
-splunkurl "https://splunk.company.com:8088" \
-splunktoken "YOUR_HEC_TOKEN_HERE" \
-splunkindex "tychon-crypto" \
-splunksource "tychon-scanner" \
-splunksourcetype "tychon-acdi:crypto_assets" \
-splunkbatch 50 \
-splunktimeout 30
# Basic authentication instead of token
./cryptographic-analyzer-linux-x64 -host example.com -cipherscan \
-posttosplunk \
-splunkurl "https://splunk.company.com:8088" \
-splunkusername "splunk_user" \
-splunkpassword "secure_password" \
-splunkindex "tychon-crypto"
# Environment variables for all HEC settings
export SPLUNK_URL="https://splunk.company.com:8088"
export SPLUNK_TOKEN="YOUR_HEC_TOKEN_HERE"
export SPLUNK_INDEX="tychon-crypto"
export SPLUNK_SOURCE="tychon-scanner"
export SPLUNK_SOURCETYPE="tychon-acdi:crypto_assets"
export SPLUNK_BATCH="100"
export SPLUNK_TIMEOUT="60"
./cryptographic-analyzer-linux-x64 -host example.com -cipherscan -posttosplunk
# Stream directly to Splunk HEC
.\cryptographic-analyzer-windows-amd64.exe -host example.com -cipherscan -outputformat flatndjson | `
Invoke-RestMethod -Uri "https://splunk.company.com:8088/services/collector/raw" `
-Method POST `
-Headers @{"Authorization" = "Splunk $env:HEC_TOKEN"} `
-ContentType "application/json" `
-Body $input
# Scheduled task approach (use Task Scheduler instead of cron)
# See Task Scheduler configuration section below
# Stream directly to Splunk HEC
./cryptographic-analyzer-linux-x64 -host example.com -cipherscan -outputformat flatndjson | \
curl -k "https://splunk.company.com:8088/services/collector/raw" \
-H "Authorization: Splunk $HEC_TOKEN" \
-H "Content-Type: application/json" \
--data-binary @-
# Scheduled scan with HEC posting
*/30 * * * * /opt/cryptographic-analyzer/cryptographic-analyzer-linux-x64 -mode local -scanconnected -scanmemory \
-outputformat flatndjson | \
curl -k "https://splunk.company.com:8088/services/collector/raw" \
-H "Authorization: Splunk $HEC_TOKEN" \
-H "Content-Type: application/json" \
--data-binary @-
# Stream directly to Splunk HEC
./cryptographic-analyzer-darwin-amd64 -host example.com -cipherscan -outputformat flatndjson | \
curl -k "https://splunk.company.com:8088/services/collector/raw" \
-H "Authorization: Splunk $HEC_TOKEN" \
-H "Content-Type: application/json" \
--data-binary @-
# Scheduled scan with HEC posting (no memory scanning on macOS)
*/30 * * * * /opt/cryptographic-analyzer/cryptographic-analyzer-darwin-amd64 -mode local -scanconnected \
-outputformat flatndjson | \
curl -k "https://splunk.company.com:8088/services/collector/raw" \
-H "Authorization: Splunk $HEC_TOKEN" \
-H "Content-Type: application/json" \
--data-binary @-
#!/bin/bash
# Deploy TYCHON Quantum Readiness with Universal Forwarder
# Create log directory
mkdir -p /opt/cryptographic-analyzer/logs
# Schedule TYCHON Quantum Readiness execution
cat << 'EOF' > /etc/cron.d/cryptographic-analyzer
# TYCHON Quantum Readiness crypto asset monitoring
0 */6 * * * root /opt/cryptographic-analyzer/cryptographic-analyzer -mode local -scanfilesystem -scanconnected -outputformat flatndjson -output /opt/cryptographic-analyzer/logs/crypto-assets-$(date +\%Y\%m\%d-\%H\%M).ndjson
0 2 * * * root /opt/cryptographic-analyzer/cryptographic-analyzer -arpscan -cipherscan -outputformat flatndjson -output /opt/cryptographic-analyzer/logs/network-scan-$(date +\%Y\%m\%d).ndjson
EOF
# Configure Universal Forwarder
cat << 'EOF' > $SPLUNK_HOME/etc/system/local/inputs.conf
[monitor:///opt/cryptographic-analyzer/logs/*.ndjson]
disabled = false
sourcetype = cryptographic-analyzer:crypto_assets
index = security
host = cryptographic_analyzer_agent
[monitor:///var/log/cryptographic-analyzer/*.json]
disabled = false
sourcetype = cryptographic-analyzer:scan_report
index = security
host = cryptographic_analyzer_agent
EOF
Starting with version 2.0.3, all Splunk events are delivered in a flat NDJSON format (one JSON object per line per event) via the Splunk HEC endpoint. Each event carries an event.dataset field identifying its type. This format is shared with the Elasticsearch and Kafka connectors, ensuring field-name consistency across all output destinations.
Two additional Splunk-specific sourcetypes are also emitted alongside the default sourcetype:
tychon:application — One event per application with active crypto connections, including preferred protocol, key exchange, quantum readiness grade, and linked certificate fingerprintstychon:pqc_inventory — Per-cipher PQC inventory events for each scanned port, detailing CNSA 2.0 classification, quantum risk level, and FIPS-140-3 / PCI-DSS complianceSee the Capacity Planning section for a complete event dataset reference with per-event sizes and typical counts per scan type.
x509_subject_common_namex509_issuer_common_namex509_validity_not_before / x509_validity_not_afterx509_public_key_algorithm / x509_public_key_sizex509_public_key_curvex509_subject_alternative_names_dnshash_sha1_certificate / hash_sha256_certificatetls_server_cipher / tls_server_protocol_versiontls_server_negotiated_groupcipher_suite / key_length_bitsephemeral_key_length_bitsalpn_protocol / session_idcompression_method / is_preferredextended_master_secret_supportedserver_address / server_portserver_domainnetwork_transport / network_protocoltarget_host / target_domainport / protocoltychon_cipher_negotiation (full object)tychon_cipher_intelligenceobserver.hostname / observer.versionobserver.os.name / observer.architectureobserver.bigfix_client_installed / observer.bigfix_client_idevent_type (cipher_suite_discovered){
"@timestamp": "2025-09-11T18:02:29Z",
"event_type": "cipher_suite_discovered",
"server_address": "github.com",
"server_port": 443,
"cipher_suite": "TLS_AES_128_GCM_SHA256",
"tls_server_cipher": "TLS_AES_128_GCM_SHA256",
"tls_server_protocol_version": "TLSv1.3",
"key_length_bits": 128,
"x509_subject_common_name": "github.com",
"x509_issuer_common_name": "DigiCert TLS Hybrid ECC SHA384 2020 CA1",
"x509_validity_not_after": "2025-03-10T23:59:59.000Z",
"x509_public_key_algorithm": "ECDSA",
"x509_public_key_size": 256,
"x509_public_key_curve": "P-256",
"observer": {
"hostname": "scanner01",
"vendor": "TYCHON",
"version": "1.0.48",
"os": {"name": "linux", "platform": "ubuntu"}
},
"tychon_cipher_negotiation": { /* complete cipher details */ },
"tychon_cipher_intelligence": { /* security analysis */ }
}
# TYCHON Quantum Readiness source types configuration
[tychon-acdi:crypto_assets]
KV_MODE = json
AUTO_KV_JSON = true
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)
TRUNCATE = 100000
TIME_PREFIX = "timestamp"\s*:\s*"
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N%z
MAX_TIMESTAMP_LOOKAHEAD = 30
category = Application
description = TYCHON Quantum Readiness crypto assets in NDJSON format
# Field aliases for common searches (updated for comprehensive data structure)
FIELDALIAS-cryptographic_analyzer_host = observer.hostname AS host
FIELDALIAS-cryptographic_analyzer_dest = server_address AS dest_ip, server_port AS dest_port
FIELDALIAS-cryptographic_analyzer_cert_cn = x509_subject_common_name AS cert_subject_cn
FIELDALIAS-cryptographic_analyzer_cert_issuer = x509_issuer_common_name AS cert_issuer_cn
FIELDALIAS-cryptographic_analyzer_cipher = cipher_suite AS cipher_name
FIELDALIAS-cryptographic_analyzer_tls = tls_server_cipher AS tls_cipher, tls_server_protocol_version AS tls_version
# Calculated fields
EVAL-cert_expires_days = if(isnotnull(certificate_days_until_expiry), certificate_days_until_expiry, null())
EVAL-cert_status_severity = case(certificate_status="expired", "critical", certificate_status="expiring_soon", "high", certificate_status="expiring_warning", "medium", certificate_status="valid", "low", "unknown")
EVAL-pqc_risk_level = if(pqc_vulnerable==true, "high", "low")
[tychon-acdi:scan_report]
KV_MODE = json
AUTO_KV_JSON = true
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)
TIME_PREFIX = "scan_metadata"\s*:\s*{\s*"timestamp"\s*:\s*"
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N%z
category = Application
description = TYCHON Quantum Readiness complete scan reports
[tychon-acdi:tychon]
KV_MODE = json
AUTO_KV_JSON = true
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)
TIME_PREFIX = "tychon"\s*:\s*{\s*"timestamp"\s*:\s*"
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N%z
category = Application
description = TYCHON Quantum Readiness Tychon format with threat intelligence
All TYCHON ACDI scan events include an event_id field containing a unique SHA256-based identifier for deduplication and asset tracking across multiple scans.
| Asset Type | Unique ID Components | Deduplication Strategy |
|---|---|---|
cipher_suite |
host + port + cipher_suite + protocol + observer_id | Latest cipher discovery per host/port |
ssh_host_key |
host + port + key_type + fingerprint + observer_id | Latest SSH key per host/port |
certificate |
host + port + serial_number + sha256_fingerprint + observer_id | Latest certificate per host/port |
filesystem_certificate |
serial_number + sha256_fingerprint + file_path + observer_id | Latest filesystem scan per file |
process_crypto_library |
process_id + library_name + library_path + file_version + observer_id | Latest library scan per process |
vpn_client |
client_name + vendor + install_path + observer_id | Latest VPN client discovery |
ipsec_tunnel |
tunnel_name + implementation + observer_id | Latest IPSec tunnel discovery |
outlook_archive |
file_path + file_type + sha256_hash + observer_id | Latest archive scan per file |
quantum_readiness |
system_type + criticality_level + overall_score + observer_id | Latest quantum assessment per system |
sourcetype=cryptographic-analyzer:* asset_type=cipher_suite
| stats latest(_time) as latest_time, latest(*) as * by event_id
| eval _time=latest_time
sourcetype=cryptographic-analyzer:* asset_type=crypto_library
| stats latest(_time) as latest_time, latest(*) as * by event_id, observer.id
| eval _time=latest_time
sourcetype=cryptographic-analyzer:* asset_type=host_summary
| stats latest(_time) as latest_time, latest(*) as * by server_address, server_port
| eval _time=latest_time
sourcetype=cryptographic-analyzer:*
| stats latest(_time) as latest_time, latest(*) as * by event_id, observer.id
| eval _time=latest_time
| stats dc(event_id) as unique_assets by asset_type
Always include observer.id in deduplication queries to maintain separate asset inventories per scanning system. This ensures accurate asset counts in distributed environments.
All TYCHON ACDI scan events include standardized fields for consistent analytics and correlation across asset types.
| Field Name | Type | Description | Example |
|---|---|---|---|
event_id |
string | Unique SHA256-based identifier for deduplication | a1b2c3d4e5f6789a |
@timestamp |
datetime | Event ingestion timestamp (ISO 8601) | 2024-03-15T14:30:45Z |
scan_timestamp |
datetime | Original scan execution timestamp | 2024-03-15T14:28:12Z |
scan_type |
string | Type of scan performed | local, remote, memory |
scanner_version |
string | TYCHON scanner version | 1.0.61 |
event_type |
string | Specific event category | cipher_suite_discovered, process_crypto_library, keystore_certificate_discovered, keystore_discovered |
asset_type |
string | High-level asset classification | cipher_suite, crypto_library, certificate, keystore_certificate, keystore |
observer |
object | Scanning system information (ECS compliant) | {"hostname": "scanner01", "id": "uuid"} |
tags |
array | User-defined scan tags (optional) | ["production", "web-tier"] |
asset_type=crypto_library)| Field Name | Type | Description | Example |
|---|---|---|---|
library_name |
string | Library filename | openssl.exe, bcrypt.dll |
library_file_version |
string | File version (corrected for Windows system libs) | 10.0.22000.1455, 3.0.8 |
library_path |
string | Full filesystem path | C:\\Windows\\System32\\bcrypt.dll |
library_product_name |
string | Product name from version info | Microsoft® Windows® Operating System |
library_company |
string | Company/vendor name | Microsoft Corporation, OpenSSL Project |
process_id |
number | Process ID using the library | 1234 |
process_name |
string | Process executable name | nginx.exe, java.exe |
process_path |
string | Full process executable path | C:\\Program Files\\nginx\\nginx.exe |
| Field Name | Type | Description | Example |
|---|---|---|---|
vulnerable |
boolean | Has known vulnerabilities | true, false |
risk_level |
string | Vulnerability severity level | critical, high, medium, low |
risk_reason |
string | Human-readable vulnerability description | Vulnerable to Heartbleed attack |
cve_list |
array | Associated CVE identifiers | ["CVE-2014-0160", "CVE-2014-0346"] |
fixed_in_version |
string | Version where vulnerabilities are fixed | 1.0.1g, 3.0.9 |
vulnerability_assessed_at |
datetime | Vulnerability assessment timestamp | 2024-03-15T14:30:45Z |
| Field Name | Type | Description | Example |
|---|---|---|---|
pqc_support |
boolean | Post-quantum cryptography support | true, false |
fips_validated |
boolean | FIPS 140-2 validation status | true, false |
asset_type=certificate)| Field Name | Type | Description | Example |
|---|---|---|---|
x509_serial_number |
string | Certificate serial number | 03:e8:f9:78:6c:6d:26:9c |
x509_subject_common_name |
string | Certificate subject CN | www.example.com |
x509_issuer_common_name |
string | Certificate issuer CN | DigiCert Global Root CA |
x509_validity_not_before |
datetime | Certificate valid from date | 2024-01-01T00:00:00Z |
x509_validity_not_after |
datetime | Certificate expiration date | 2025-01-01T00:00:00Z |
x509_public_key_algorithm |
string | Public key algorithm | RSA, ECDSA, Ed25519 |
x509_public_key_size |
number | Public key size in bits | 2048, 256, 384 |
hash_sha256_certificate |
string | Certificate SHA256 fingerprint | a1b2c3d4e5f6... |
asset_type=cipher_suite)| Field Name | Type | Description | Example |
|---|---|---|---|
server_address |
string | Target server hostname/IP | example.com, 192.168.1.100 |
server_port |
number | Target server port | 443, 22, 8443 |
cipher_suite |
string | Negotiated cipher suite name | TLS_AES_256_GCM_SHA384 |
protocol |
string | TLS/SSL protocol version | TLSv1.3, TLSv1.2 |
key_length_bits |
number | Symmetric key length | 256, 128 |
ephemeral_key_length_bits |
number | Ephemeral key exchange length | 2048, 256 |
negotiated_group |
string | Key exchange group/curve | X25519, secp256r1 |
tls_server_cipher |
string | ECS-compliant cipher field | ECDHE-RSA-AES256-GCM-SHA384 |
tls_server_protocol_version |
string | ECS-compliant protocol field | 1.3, 1.2 |
| Field Name | Type | Description | Example |
|---|---|---|---|
vpn_client_name |
string | VPN client software name | OpenVPN, Cisco AnyConnect |
vpn_client_vendor |
string | VPN software vendor | OpenVPN Inc., Cisco Systems |
vpn_client_version |
string | VPN client version | 2.6.5, 4.10.7 |
ipsec_tunnel_name |
string | IPSec tunnel identifier | site-to-site-tunnel-1 |
ipsec_implementation |
string | IPSec implementation type | strongSwan, Windows IPSec |
vpn_security_score |
number | VPN security assessment score (0-100) | 85, 42, 91 |
vpn_risk_level |
string | VPN security risk level | low, medium, high, critical |
vpn_pqc_vulnerable |
boolean | VPN vulnerable to quantum attacks | true, false |
vpn_known_vulnerabilities |
string | Comma-separated list of CVE IDs | CVE-2023-1234,CVE-2023-5678 |
vpn_encryption_algorithm |
string | VPN encryption algorithm in use | AES-256-GCM, ChaCha20-Poly1305 |
vpn_authentication_algorithm |
string | VPN authentication algorithm | SHA-256, SHA-384 |
vpn_dns_leak_protection |
boolean | DNS leak protection enabled | true, false |
vpn_kill_switch |
boolean | Kill switch/network lock enabled | true, false |
ipsec_security_score |
number | IPSec security assessment score (0-100) | 78, 91, 34 |
ipsec_risk_level |
string | IPSec security risk level | low, medium, high, critical |
ipsec_pqc_vulnerable |
boolean | IPSec vulnerable to quantum attacks | true, false |
ipsec_encryption_algorithm |
string | IPSec encryption algorithm | AES-256-GCM, AES-128-CBC |
ipsec_dh_group |
string | Diffie-Hellman group used | modp2048, secp256r1, x25519 |
ssh_host_key_type |
string | SSH host key algorithm | rsa, ecdsa, ed25519 |
ssh_host_key_fingerprint_sha256 |
string | SSH host key SHA256 fingerprint | SHA256:nThbg6k... |
asset_type=keystore_certificate)| Field Name | Type | Description | Example |
|---|---|---|---|
keystore_path |
string | Full path to the keystore file | /etc/ssl/server.p12, C:\\Certs\\app.pfx |
keystore_type |
string | Keystore format type | PKCS12, JKS, Windows Certificate Store, macOS Keychain |
keystore_accessible |
boolean | Whether keystore was accessible for scanning | true, false |
keystore_requires_auth |
boolean | Whether keystore requires authentication | true, false |
certificate_subject |
string | Certificate subject DN | CN=app.company.com, O=Company Inc |
certificate_issuer |
string | Certificate issuer DN | CN=DigiCert Global Root CA |
certificate_alias |
string | Certificate alias/friendly name in keystore | server-cert, app-signing-key |
certificate_has_private_key |
boolean | Whether certificate has associated private key | true, false |
certificate_not_after |
datetime | Certificate expiration date | 2025-12-31T23:59:59Z |
vulnerability_is_vulnerable |
boolean | Whether certificate has security vulnerabilities | true, false |
pqc_vulnerable |
boolean | Whether certificate is vulnerable to quantum attacks | true, false |
asset_type=keystore)| Field Name | Type | Description | Example |
|---|---|---|---|
keystore_path |
string | Full path to the keystore file | /etc/ssl/cacerts, C:\\Windows\\System32\\Cert\\CurrentUser\\My |
keystore_type |
string | Keystore format type | PKCS12, JKS, Windows Certificate Store, macOS Keychain |
keystore_cert_count |
number | Total number of certificates in keystore | 15, 127, 3 |
keystore_stats_vulnerable_certificates |
number | Number of vulnerable certificates in keystore | 0, 3, 12 |
keystore_stats_pqc_vulnerable_certificates |
number | Number of post-quantum vulnerable certificates | 8, 15, 127 |
keystore_stats_expired_certificates |
number | Number of expired certificates in keystore | 0, 1, 5 |
keystore_owner |
string | File owner (UNIX systems) | root, www-data, ubuntu |
keystore_permissions |
string | File permissions (UNIX systems) | 600, 644, 755 |
file_size |
number | Keystore file size in bytes | 4096, 65536, 1048576 |
| Field Name | Type | Description | Example |
|---|---|---|---|
quantum_overall_score |
number | Overall quantum readiness score (0-100) | 75, 45, 92 |
quantum_system_type |
string | System classification type | enterprise_server, endpoint, iot_device |
quantum_criticality_level |
string | System criticality classification | critical, high, medium, low |
quantum_recommendations |
array | Quantum readiness recommendations | ["Upgrade OpenSSL to 3.x", "Implement hybrid certificates"] |
asset_type=host_summary)Provides a comprehensive one-line summary per host/port combination, aggregating certificates, cipher suites, and quantum readiness assessments.
| Field Name | Type | Description | Example |
|---|---|---|---|
server_address |
string | Target server hostname/IP | example.com, 192.168.1.100 |
server_port |
number | Target server port | 443, 993, 8443 |
certificate_subject |
string | Primary certificate Common Name | *.example.com, api.service.com |
certificate_issuer |
string | Certificate Issuer Common Name | Let's Encrypt Authority X3, DigiCert SHA2 |
certificate_expiry |
string | Certificate expiration date (ISO 8601) | 2024-12-15T23:59:59Z |
certificate_signature_algorithm |
string | Certificate signature algorithm | RSA-SHA256, ECDSA-SHA256 |
cipher_count |
number | Total number of supported cipher suites | 15, 42, 8 |
supported_tls_versions |
array | Supported TLS protocol versions | ["TLSv1.2", "TLSv1.3"] |
supported_kx_groups |
array | Supported key exchange groups/curves | ["X25519", "P-256", "X25519MLKEM768"] |
supported_kx_algorithms |
array | Key exchange algorithm types | ["ECDHE_ECDSA", "N/A (TLS 1.3)"] |
quantum_ready_kx |
boolean | Host supports quantum-safe key exchange | true, false |
quantum_ready_cipher |
boolean | Host supports quantum-safe cipher algorithms | true, false |
quantum_ready_cert |
boolean | Host certificate uses quantum-safe algorithms | true, false |
quantum_ready |
boolean | Overall quantum readiness (all components) | true, false |
observer object follows ECS (Elastic Common Schema) specificationx509_* prefix following ECS conventionstls_server_* prefix for ECS complianceevent_id for deduplication and asset tracking across scans[TYCHON_ACDI_Crypto_Assets]
acceleration = true
acceleration.earliest_time = -30d
acceleration.max_time = 0
# Root search for all TYCHON Quantum Readiness data
search = sourcetype=tychon-acdi:* | eval asset_id=coalesce(tychon_source_id, certificate.source_id, tychon.certificate.source_id)
# Certificate lifecycle dataset
[TYCHON_ACDI_Crypto_Assets.Certificate_Lifecycle]
search = sourcetype=tychon-acdi:* asset_type=certificate | eval cert_id=asset_id, days_to_expiry=certificate_days_until_expiry
# Cipher analysis dataset
[TYCHON_ACDI_Crypto_Assets.Cipher_Analysis]
search = sourcetype=tychon-acdi:* (asset_type=cipher OR isnotnull(cipher_info.algorithm)) | eval cipher_name=coalesce(cipher_info.full_name, tls.cipher)
# Security assessments dataset
[TYCHON_ACDI_Crypto_Assets.Security_Assessment]
search = sourcetype=tychon-acdi:* | eval risk_score=security_score, risk_level=security_level
index=main sourcetype=tychon-acdi:crypto_assets x509_subject_common_name=*
| eval cert_expires_in = round((strptime(x509_validity_not_after, "%Y-%m-%dT%H:%M:%S") - now()) / 86400)
| eval severity = case(cert_expires_in < 0, "EXPIRED", cert_expires_in <= 7, "CRITICAL", cert_expires_in <= 30, "WARNING", "OK")
| table _time, server_address, server_port, x509_subject_common_name, x509_issuer_common_name,
x509_validity_not_after, cert_expires_in, severity
| sort cert_expires_in asc
Schedule: Every 5 minutes | Action: Email security team
sourcetype=cryptographic-analyzer:*
| where certificate_days_until_expiry <= 30 AND certificate_days_until_expiry > 0
| dedup cryptographic_analyzer_source_id
| eval expiry_category=case(
certificate_days_until_expiry <= 7, "Critical (1 week)",
certificate_days_until_expiry <= 14, "High (2 weeks)",
certificate_days_until_expiry <= 30, "Medium (1 month)")
| table _time, host, dest_ip, dest_port, cert_subject_cn, cert_issuer_cn,
certificate_days_until_expiry, expiry_category, x509.not_after
| sort certificate_days_until_expiry asc
Schedule: Daily at 8 AM | Action: Slack notification
sourcetype=cryptographic-analyzer:* asset_type=certificate
| stats earliest(_time) as first_seen, latest(_time) as last_seen,
dc(_time) as scan_count,
latest(certificate_status) as current_status,
latest(certificate_days_until_expiry) as days_until_expiry,
latest(security_score) as security_score,
latest(x509.not_after) as expiry_date
by cryptographic_analyzer_source_id, cert_subject_cn, cert_issuer_cn, host, dest_ip
| eval first_seen=strftime(first_seen, "%Y-%m-%d %H:%M"),
last_seen=strftime(last_seen, "%Y-%m-%d %H:%M"),
expiry_date=strftime(strptime(expiry_date, "%Y-%m-%dT%H:%M:%S"), "%Y-%m-%d")
| sort security_score asc, days_until_expiry asc
index=main sourcetype=tychon-acdi:crypto_assets event_type="cipher_suite_discovered"
| eval weak_cipher = case(
match(cipher_suite, "(?i)(3des|des|rc4|md5)"), "WEAK_ALGORITHM",
key_length_bits < 128, "WEAK_KEY_SIZE",
match(tls_server_protocol_version, "(?i)(ssl|tls1\.0|tls1\.1)"), "WEAK_PROTOCOL",
"ACCEPTABLE")
| where weak_cipher != "ACCEPTABLE"
| table _time, server_address, server_port, cipher_suite, tls_server_protocol_version,
key_length_bits, negotiated_group, weak_cipher
| sort _time desc
Schedule: Every 15 minutes | Action: Create incident in ServiceNow
sourcetype=cryptographic-analyzer:* pqc_vulnerable=true
| stats count as vulnerable_instances,
dc(cryptographic_analyzer_source_id) as unique_assets,
values(cipher_info.algorithm) as vulnerable_algorithms,
values(host) as affected_hosts,
latest(security_score) as avg_security_score
by dest_ip, dest_port, cipher_suite
| eval pqc_risk="HIGH",
remediation="Migrate to PQC-ready cipher suites"
| sort vulnerable_instances desc
sourcetype=cryptographic-analyzer:*
| stats count as usage_count,
dc(host) as host_count,
dc(dest_ip) as target_count,
avg(security_score) as avg_security_score,
values(cipher_info.key_size) as key_sizes
by cipher_info.algorithm, cipher_info.key_exchange, cipher_info.hash
| eval cipher_summary=cipher_info.algorithm + "-" + cipher_info.key_exchange + "-" + cipher_info.hash
| sort usage_count desc
sourcetype=cryptographic-analyzer:*
| bin _time span=1d
| stats avg(security_score) as avg_score,
min(security_score) as min_score,
max(security_score) as max_score,
dc(cryptographic_analyzer_source_id) as asset_count,
count(eval(security_score < 50)) as high_risk_count,
count(eval(pqc_vulnerable==true)) as pqc_vulnerable_count
by _time
| eval pqc_vulnerable_pct=round((pqc_vulnerable_count/asset_count)*100, 2),
high_risk_pct=round((high_risk_count/asset_count)*100, 2)
| sort _time
sourcetype=cryptographic-analyzer:*
| stats count as total_discoveries,
dc(cryptographic_analyzer_source_id) as unique_assets,
dc(host) as scanning_hosts,
dc(dest_ip) as target_servers,
values(asset_type) as asset_types,
earliest(_time) as first_scan,
latest(_time) as last_scan
| eval scan_duration=tostring(last_scan-first_scan, "duration"),
discovery_rate=round(total_discoveries/(last_scan-first_scan)*86400, 2) + " discoveries/day"
| table unique_assets, total_discoveries, scanning_hosts, target_servers,
asset_types, discovery_rate, scan_duration
sourcetype=cryptographic-analyzer:*
| where security_score < 50 OR certificate_status="expired" OR pqc_vulnerable==true
| dedup cryptographic_analyzer_source_id
| eval risk_reasons=mvappend(
if(security_score < 30, "Critical Security Score (" + security_score + ")", null()),
if(certificate_status="expired", "Expired Certificate", null()),
if(certificate_status="expiring_soon", "Certificate Expiring Soon", null()),
if(pqc_vulnerable==true, "PQC Vulnerable", null()),
if(match(cipher_info.algorithm, "(?i)(3des|des|rc4)"), "Weak Algorithm", null())
)
| table _time, host, dest_ip, dest_port, asset_type, cert_subject_cn,
cipher_suite, security_score, certificate_status,
certificate_days_until_expiry, pqc_vulnerable, risk_reasons
| sort security_score asc
<dashboard>
<label>TYCHON Quantum Readiness - Executive Crypto Security Overview</label>
<description>High-level cryptographic security posture metrics</description>
<row>
<panel>
<single>
<title>Total Crypto Assets</title>
<search>
<query>
sourcetype=cryptographic-analyzer:*
| stats dc(cryptographic_analyzer_source_id) as asset_count
</query>
<earliest>-7d@d</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
<option name="colorBy">value</option>
<option name="colorMode">none</option>
</single>
</panel>
<panel>
<single>
<title>Average Security Score</title>
<search>
<query>
sourcetype=cryptographic-analyzer:*
| stats avg(security_score) as avg_score
| eval avg_score=round(avg_score, 1)
</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
<option name="rangeColors">["0xDC4E41","0xF1813F","0x53A051"]</option>
<option name="rangeValues">[50,80]</option>
</single>
</panel>
<panel>
<single>
<title>PQC Vulnerable Assets</title>
<search>
<query>
sourcetype=cryptographic-analyzer:* pqc_vulnerable=true
| stats latest(_time) as latest_time, latest(*) as * by event_id, observer.id
| eval _time=latest_time
| stats dc(event_id) as pqc_vulnerable_count
</query>
<earliest>-7d@d</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
<option name="colorBy">value</option>
<option name="rangeColors">["0x53A051","0xF1813F","0xDC4E41"]</option>
<option name="rangeValues">[10,50]</option>
</single>
</panel>
</row>
<row>
<panel>
<chart>
<title>Security Level Distribution</title>
<search>
<query>
sourcetype=cryptographic-analyzer:*
| stats latest(_time) as latest_time, latest(*) as * by event_id, observer.id
| eval _time=latest_time
| stats dc(event_id) as count by security_level
| eval security_level=upper(security_level)
</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="charting.chart">pie</option>
<option name="charting.chart.showPercent">true</option>
<option name="charting.legend.placement">bottom</option>
</chart>
</panel>
<panel>
<chart>
<title>Certificate Status Breakdown</title>
<search>
<query>
sourcetype=cryptographic-analyzer:* asset_type=certificate
| stats latest(_time) as latest_time, latest(*) as * by event_id, observer.id
| eval _time=latest_time
| stats dc(event_id) as count by certificate_status
| eval certificate_status=case(
certificate_status="valid", "Valid",
certificate_status="expiring_warning", "Expiring (90 days)",
certificate_status="expiring_soon", "Expiring (30 days)",
certificate_status="expired", "EXPIRED",
true(), "Unknown")
</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="charting.chart">column</option>
<option name="charting.axisTitleY.text">Certificate Count</option>
</chart>
</panel>
</row>
</dashboard>
sourcetype=cryptographic-analyzer:* | timechart span=1h count by certificate_status
sourcetype=cryptographic-analyzer:* | top limit=10 cipher_info.algorithm by dest_ip
sourcetype=cryptographic-analyzer:* | iplocation dest_ip | stats avg(security_score) as avg_score by Country | geostats latfield=lat longfield=lon avg_score
sourcetype=cryptographic-analyzer:*
| stats latest(_time) as latest_time, latest(*) as * by event_id, observer.id
| eval _time=latest_time
| stats dc(event_id) as assets, latest(_time) as last_scan by observer.hostname
| eval last_scan=strftime(last_scan, "%Y-%m-%d %H:%M")
| sort assets desc
# Detect unusual cipher patterns using MLTK
sourcetype=tychon-acdi:*
| eval hour=strftime(_time, "%H"),
day_of_week=strftime(_time, "%a")
| stats count as cipher_count,
avg(security_score) as avg_security_score
by hour, day_of_week, cipher_info.algorithm, dest_ip
| fit DensityFunction cipher_count avg_security_score into crypto_baseline_model
| apply crypto_baseline_model
| where 'ProbabilityDensity(cipher_count,avg_security_score)' < 0.01
| table _time, dest_ip, cipher_info.algorithm, cipher_count, avg_security_score
# Generate compliance report for security frameworks
sourcetype=tychon-acdi:*
| eval compliance_status=case(
security_score >= 80 AND pqc_vulnerable==false AND certificate_status="valid", "COMPLIANT",
security_score >= 60 AND certificate_status!="expired", "PARTIAL",
true(), "NON_COMPLIANT"
)
| stats count as asset_count,
avg(security_score) as avg_score,
count(eval(compliance_status="COMPLIANT")) as compliant_count,
count(eval(compliance_status="NON_COMPLIANT")) as non_compliant_count
by host, asset_type
| eval compliance_percentage=round((compliant_count/asset_count)*100, 2)
| sort compliance_percentage asc
# Create risk heat map by host and service
sourcetype=tychon-acdi:*
| stats avg(security_score) as avg_security_score,
count(eval(certificate_status="expired")) as expired_certs,
count(eval(pqc_vulnerable==true)) as pqc_vulnerable_assets,
dc(cryptographic_analyzer_source_id) as total_assets
by host, dest_ip, dest_port
| eval risk_multiplier=1 + (expired_certs*0.5) + (pqc_vulnerable_assets*0.3),
adjusted_risk_score=round(avg_security_score/risk_multiplier, 1),
service=dest_ip + ":" + dest_port
| where total_assets > 0
| sort adjusted_risk_score asc
Unlike Elasticsearch, Splunk operates as a time-series database where every scan creates a new event. There are no upsert capabilities - each discovery of a certificate, cipher suite, VPN client, or IPSec policy creates a separate timestamped record. This architecture significantly impacts data volume and licensing costs.
Each row below represents one Splunk HEC event with its own event.dataset field. All datasets flow through the flat NDJSON pipeline shared with Elasticsearch. Events are gzip-compressed in transit (~70% reduction) but the uncompressed size counts toward Splunk licensing.
event.dataset |
Description | Avg Size | Typical Count |
|---|---|---|---|
| port_detail | Per-port connection summary with cipher negotiation, KEX intel, and CNSA 2.0 compliance level (tychon.connection.*, tychon.kex.*) |
4.0 KB | 1 per open port scanned |
| tychon.cipher_quick | Quick cipher summary for a TLS/SSH port — supported protocols, cipher lists, preferred cipher, weak/insecure cipher counts, mTLS detection | 3.5 KB | 1 per TLS or SSH port |
| tychon.pqc_inventory | Per-cipher PQC inventory: algorithm details, quantum risk, CNSA 2.0 classification, FIPS-140-3 and PCI-DSS compliance flags. Emitted as sourcetype tychon:pqc_inventory |
2.0 KB | 10–40 per TLS port; 5–15 per SSH port |
| certificate | X.509 certificate from network TLS handshake — full chain, subject/issuer, validity dates, key algorithm, SAN, SHA-256 fingerprint | 3.5 KB | 2–5 per TLS port (full chain) |
| tychon.connected_quick | Quick port connectivity record for ports that responded but did not complete a cipher scan | 1.5 KB | 1 per responding port |
| tychon.non_tls_cipher | Non-TLS cipher discovery — SSH KEX algorithms, IPSec proposals, or plaintext service detection on a port | 1.5 KB | 5–20 per SSH/non-TLS port |
event.dataset |
Description | Avg Size | Typical Count per Endpoint |
|---|---|---|---|
| tychon.installed_app | One event per installed application — name, version, vendor, install path, bundle ID (macOS). Covers all discovered software, not just crypto apps | 1.5 KB | 20–100 apps per endpoint |
| tychon.application | Application-level crypto profile — preferred protocol, key exchange, cipher suite, quantum readiness grade, linked certificates and crypto connections. Emitted as sourcetype tychon:application |
4.0 KB | 5–30 apps with crypto activity |
| tychon.app_certificate | X.509 certificate associated with a specific application's crypto connections — same fields as network certificate events but linked to app context |
3.0 KB | 5–50 certs per endpoint |
| tychon.browser_extension | New in 2.0.4.10 — One event per browser extension per browser per user. Covers Chrome, Edge, and Firefox on Windows, macOS (all users via /Users/*), and Linux (via /home/*). Fixed in TQR-1025 for macOS/Linux |
1.5 KB | 10–200 per endpoint (requires -scan-browser-extensions) |
| keystore | Keystore file discovery — path, type (JKS, PKCS12, Windows CNG, macOS Keychain), owner, accessibility, cert count, auth requirement | 2.5 KB | 5–30 keystores per endpoint |
| keystore_certificate | X.509 certificate stored inside a keystore — emitted separately for each cert in each keystore to enable per-cert queries | 3.0 KB | 10–100 per endpoint |
| config_cert | X.509 certificate embedded in a configuration file (nginx.conf, Apache, IIS, HAProxy, etc.) — includes source file path and service context | 2.5 KB | 5–50 per endpoint |
| vpn | VPN client detection — product name, vendor, version, install path, crypto configuration | 2.0 KB | 0–5 per endpoint |
| ipsec | IPSec tunnel configuration — IKE version, encryption algorithm, DH group, auth method, integrity algorithm, PFS status | 2.0 KB | 0–10 per endpoint |
| memory_scan | Cryptographic library loaded in process memory — library name, version, path, process that loaded it, OpenSSL/BoringSSL/NSS identification | 2.0 KB | 5–20 per endpoint |
| private_key | Private key file discovery — algorithm, key size, file path, associated certificate (if detectable), encryption status | 1.5 KB | 0–20 per endpoint |
| java_crypto | Java cryptographic artifact — JAR path, class name, crypto algorithm usage, JCE provider | 1.5 KB | 0–10 per endpoint |
| archivefile | Archive or email file containing cryptographic material (PST, OST, ZIP with certs or keys) | 1.5 KB | 0–5 per endpoint |
| tychon.macsec | MACsec (IEEE 802.1AE) interface detection — interface name, cipher suite, key agreement mode, protection status | 2.0 KB | 0–5 per endpoint |
event.dataset |
Description | Avg Size | Count per Scan |
|---|---|---|---|
| quantum_assessment | System-level PQC readiness summary — overall score, VDI identity, detection mode, observer metadata | 3.0 KB | 1 per scan run |
| quantum_assessment.app_group | Per-application-group readiness score and findings summary | 1.5 KB | 1–5 per scan |
| quantum_assessment.critical_issue | One event per critical cryptographic issue identified in the readiness assessment | 1.5 KB | 0–20 per scan |
| Scan Mode | Typical Events / Endpoint | Avg Size / Endpoint | Key Flag(s) |
|---|---|---|---|
| Local endpoint — baseline | ~120 events | ~300 KB | No extra flags (installed apps, keystores, memory, VPN, IPSec, certs) |
| Local endpoint — with browser extension scan | ~200–400 events | ~500 KB – 1 MB | -scan-browser-extensions (adds 10–200 browser extension events per endpoint; fixed for macOS/Linux in 2.0.4.10) |
| Remote port scan — 50 ports/host | ~200 events | ~400 KB | -scan-hosts with default port list — port_detail + cipher_quick + pqc_inventory + certificates per TLS/SSH port |
| Remote port scan — 100+ ports/host | ~400–600 events | ~800 KB – 1.2 MB | Expanded port range — pqc_inventory events dominate (10–40 per TLS port) |
| Combined local + remote (same host) | ~400–700 events | ~900 KB – 1.5 MB | Local scan plus network port scan of the same host — maximum visibility and data volume |
* Event counts depend on installed software diversity, number of TLS services, keystore inventory, and browser usage patterns. Values above are representative of a mid-complexity enterprise workstation or server.
| Environment | Endpoints | Scan Frequency | Events per Endpoint | Daily Volume | Monthly Volume |
|---|---|---|---|---|---|
| Small | 100 | 1x daily | ~200 events | 50 MB | 1.5 GB |
| Medium | 1,000 | 1x daily | ~200 events | 500 MB | 15 GB |
| Large | 10,000 | 1x daily | ~200 events | 5 GB | 150 GB |
| Enterprise | 50,000 | 1x daily | ~200 events | 25 GB | 750 GB |
| Environment | Endpoints | Scan Frequency | Events per Endpoint | Daily Volume | Monthly Volume |
|---|---|---|---|---|---|
| Small | 100 | 1x weekly | ~200 events | 7 MB | 215 MB |
| Medium | 1,000 | 1x weekly | ~200 events | 71 MB | 2.1 GB |
| Large | 10,000 | 1x weekly | ~200 events | 714 MB | 21 GB |
| Enterprise | 50,000 | 1x weekly | ~200 events | 3.6 GB | 107 GB |
| Environment | Endpoints | Scan Frequency | Events per Endpoint | Daily Volume | Monthly Volume |
|---|---|---|---|---|---|
| Small | 100 | 1x monthly | ~200 events | 1.7 MB | 50 MB |
| Medium | 1,000 | 1x monthly | ~200 events | 17 MB | 500 MB |
| Large | 10,000 | 1x monthly | ~200 events | 167 MB | 5 GB |
| Enterprise | 50,000 | 1x monthly | ~200 events | 833 MB | 25 GB |
Daily Volume = Endpoints × Scan Frequency × Events per Endpoint × Avg Event Size (~2.5 KB/event)
* Events per endpoint (~200) reflects a typical local scan with browser extensions enabled (installed apps, keystores, config certs, browser extensions, VPN/IPSec, memory scan, quantum assessment). Remote port scanning adds ~200–400 additional events per host for 50–100 ports scanned.
* Avg event size (~2.5 KB) — each flat NDJSON event is sent individually to Splunk HEC. Events are gzip-compressed in transit (Splunk counts the uncompressed raw size for licensing).
* Browser extensions (2.0.4.10+): Previously generated zero records on macOS and Linux. Now correctly enumerates all user profiles. Enable with -scan-browser-extensions. Adds 10–200 events per endpoint depending on user count and installed extensions.
* Weekly scans = 1x per 7 days (~4.3x per month); Monthly scans = 1x per 30 days
* Actual volumes vary by installed software diversity, number of TLS services, keystore count, and browser extension footprint
| Splunk License | Daily Limit | Approx. Cost/Year | Endpoints Supported | Usage Scenario |
|---|---|---|---|---|
| Splunk Free | 500 MB | $0 | ~280 (4x daily) | Testing and proof of concept only |
| Splunk Cloud 5GB | 5 GB | ~$108,000 | ~1,500 | Small to medium enterprise |
| Splunk Cloud 20GB | 20 GB | ~$360,000 | ~6,000 | Medium to large enterprise |
| Splunk Cloud 100GB | 100 GB | ~$1,440,000 | ~11,000 | Large enterprise |
| Splunk Cloud 500GB | 500 GB | ~$5,760,000 | ~35,000 | Global enterprise |
Strategy: Scan critical assets 2-4x daily, others weekly
Volume Reduction: 60-70% compared to uniform frequency
License Impact: Can fit larger environments in smaller tiers
Trade-off: Reduced visibility into rapid changes
Strategy: Pre-aggregate daily/weekly statistics
Volume Reduction: 90%+ for historical trend analysis
License Impact: Minimal ongoing ingestion
Trade-off: Loss of granular event detail
Strategy: 30-day hot, 90-day warm, 1-year cold
Volume Impact: Doesn't affect ingestion licensing
Storage Cost: Significant reduction in cloud storage
Trade-off: Slower access to historical data
Strategy: Focus on internet-facing and critical systems
Volume Reduction: 40-60% depending on environment
License Impact: Proportional reduction in daily ingestion
Trade-off: Incomplete asset visibility
| Retention Period | Small (5GB/day) | Medium (20GB/day) | Large (100GB/day) | Enterprise (500GB/day) |
|---|---|---|---|---|
| 30 Days | 150 GB +$3,600/year |
600 GB +$14,400/year |
3 TB +$72,000/year |
15 TB +$360,000/year |
| 90 Days | 450 GB +$10,800/year |
1.8 TB +$43,200/year |
9 TB +$216,000/year |
45 TB +$1,080,000/year |
| 1 Year | 1.8 TB +$43,200/year |
7.3 TB +$175,200/year |
36.5 TB +$876,000/year |
182.5 TB +$4,380,000/year |
| 3 Years | 5.5 TB +$132,000/year |
22 TB +$528,000/year |
110 TB +$2,640,000/year |
550 TB +$13,200,000/year |
Pre-aggregate crypto asset data into summary indices to reduce long-term storage costs while maintaining analytical capabilities.
# Create daily security score aggregations
index=main sourcetype=tychon-acdi:*
| bucket _time span=1d
| stats avg(security_score) as avg_score,
min(security_score) as min_score,
max(security_score) as max_score,
count(eval(pqc_vulnerable==true)) as pqc_vulnerable_count,
count(eval(certificate_status="expired")) as expired_cert_count,
dc(cryptographic_analyzer_source_id) as unique_assets
by _time, host, asset_type
| eval summary_type="daily_security_metrics"
| collect index=summary_crypto_security
Run daily via scheduled search. Reduces volume by ~95% while maintaining trend visibility.
# Aggregate certificate lifecycle events by week
index=main sourcetype=tychon-acdi:* asset_type=certificate
| bucket _time span=1w
| stats first(x509_validity_not_after) as expiry_date,
avg(certificate_days_until_expiry) as avg_days_to_expiry,
values(certificate_status) as status_changes,
count as total_observations,
latest(security_score) as latest_score
by _time, cryptographic_analyzer_source_id, cert_subject_cn
| eval summary_type="weekly_certificate_lifecycle"
| collect index=summary_crypto_certificates
Run weekly. Compresses ~168 hourly observations into 1 summary record.
# Monthly cipher algorithm and usage patterns
index=main sourcetype=tychon-acdi:*
| bucket _time span=1mon
| stats count as usage_count,
avg(security_score) as avg_security_score,
dc(server_address) as unique_servers,
values(tls_server_protocol_version) as tls_versions
by _time, cipher_suite, key_length_bits
| eval summary_type="monthly_cipher_distribution",
month_year=strftime(_time, "%Y-%m")
| collect index=summary_crypto_ciphers
Run monthly. Provides long-term cipher evolution trends with 99%+ space savings.
# indexes.conf - Crypto asset data retention strategy
[main]
# Raw crypto asset events - optimized for recent analysis
homePath = $SPLUNK_DB/db/main/db
coldPath = $SPLUNK_DB/db/main/colddb
thawedPath = $SPLUNK_DB/db/main/thaweddb
maxDataSize = auto_high_volume
maxHotBuckets = 10
maxWarmDBCount = 300
# Hot: 7 days, Warm: 83 days, Cold: 270 days (1 year total)
maxHotSpanSecs = 604800
maxWarmDBCount = 300
frozenTimePeriodInSecs = 31536000
[summary_crypto_security]
# Daily summaries - longer retention for trending
homePath = $SPLUNK_DB/db/summary_security/db
coldPath = $SPLUNK_DB/db/summary_security/colddb
maxDataSize = auto
# 3 year retention for compliance and trend analysis
frozenTimePeriodInSecs = 94608000
maxHotSpanSecs = 2592000 # 30 days hot
maxWarmDBCount = 100
[summary_crypto_certificates]
# Certificate lifecycle summaries
homePath = $SPLUNK_DB/db/summary_certs/db
coldPath = $SPLUNK_DB/db/summary_certs/colddb
maxDataSize = auto
# 5 year retention for certificate management
frozenTimePeriodInSecs = 157680000
maxHotSpanSecs = 7776000 # 90 days hot
[summary_crypto_ciphers]
# Cipher evolution summaries
homePath = $SPLUNK_DB/db/summary_ciphers/db
coldPath = $SPLUNK_DB/db/summary_ciphers/colddb
maxDataSize = auto
# 7 year retention for cryptographic compliance
frozenTimePeriodInSecs = 220752000
maxHotSpanSecs = 15552000 # 180 days hot
| Index Strategy | Retention Period | Volume Reduction | Cost Impact | Use Case |
|---|---|---|---|---|
| Raw Events Only | 1 Year | 0% (baseline) | $$$$$ | Real-time operations, forensics |
| Raw + Daily Summaries | 90d raw + 3y summary | 75% | $$$$ | Balanced operations + trends |
| Raw + Weekly Summaries | 30d raw + 2y summary | 85% | $$$ | Cost-optimized with trends |
| Tiered Summaries | 30d raw + multi-tier | 92% | $$ | Maximum cost efficiency |
| Summary Only | 5y aggregated data | 97% | $ | Long-term compliance only |
• Hot data: 30 days raw events for operational needs
• Warm data: 90 days daily summaries for trend analysis
• Cold data: 3+ years weekly/monthly summaries for compliance
• Cost savings: 85-90% reduction vs. raw-only retention
The scanner compresses all Splunk HEC payloads with gzip before sending (Content-Encoding: gzip). Flat NDJSON with repeated field names compresses exceptionally well — typical wire-size reduction is 70–78%, meaning roughly 22–30% of the uncompressed event volume travels across the network.
Compression enabled (default)
Events are batched (500 per request) into a single gzip stream and POST'd to https://splunk:8088/services/collector/event. Wire size ≈ 25% of raw event size.
Compression disabled (-no-compress)
Use when a reverse proxy or load balancer sits between the scanner and Splunk HEC and does not forward Content-Encoding headers. Wire size equals the raw uncompressed event volume.
These figures represent the actual bytes transferred over the network from scanner to Splunk HEC per scan invocation on a single endpoint or host. All calculations assume the default 75% gzip compression ratio.
| Scan Mode | Events / Run | Uncompressed | Wire Size (gzip) | HEC Requests | Notes |
|---|---|---|---|---|---|
| Local endpoint — baseline | ~120 | ~300 KB | ~75 KB | 1 | Installed apps, keystores, config certs, memory scan, VPN/IPSec, quantum assessment. All 120 events fit in a single batch. |
| Local + browser extensions (1 user, ~15 extensions) | ~160 | ~400 KB | ~100 KB | 1 | Single user with 15 extensions across 2 browsers. Fixed for macOS/Linux in v2.0.4.10 (TQR-1025). |
| Local + browser extensions (3 users, ~20 ext each) | ~300 | ~750 KB | ~190 KB | 1 | Shared workstation or server with multiple user profiles. Browser extension events scale linearly with users × extensions × browsers. |
| Remote port scan — 50 ports per host | ~200 | ~400 KB | ~100 KB | 1 | Typical for a server with 5–10 TLS services. pqc_inventory events (10–40 per TLS port) are the dominant contributor. |
| Remote port scan — 100+ ports per host | ~500 | ~1.0 MB | ~250 KB | 1–2 | Extended port range or host with many TLS services. May spill into a second HEC batch if event count exceeds 500. |
| Combined local + remote (same host) | ~550 | ~1.2 MB | ~300 KB | 2 | Maximum visibility scan — local endpoint data plus full port scan of the same host. Two HEC batches per scan cycle. |
* Batch size: 500 events per HEC POST request (default). Configurable via -splunkbatchsize. Each batch adds ~800 bytes of HTTP header overhead (negligible).
When performing a remote port scan, the scanner also generates inbound/outbound probe traffic to the target hosts. This is separate from and smaller than the resulting Splunk HEC upload.
| Probe Type | Bytes per Port | 50 Ports / Host | 100 Ports / Host |
|---|---|---|---|
| TCP connect + TLS ClientHello | ~1.5 KB | ~75 KB | ~150 KB |
| Full TLS handshake (cipher enumeration per cipher) | ~3 KB / cipher | ~300–600 KB | ~600 KB – 1.2 MB |
| SSH banner + KEX enumeration | ~2 KB / port | ~10–20 KB | ~20–40 KB |
| Total probe traffic per host | — | ~400 KB – 700 KB | ~800 KB – 1.4 MB |
Key insight: For remote port scans, probe traffic (~400 KB–1.4 MB per host) typically exceeds the compressed Splunk upload (~100–250 KB per host). When scanning large host counts, plan for probe traffic bandwidth capacity on the scanning machine's NIC and on any firewall/IDS between the scanner and targets — not just the Splunk upload path.
Compressed bytes transferred from scanner(s) to Splunk HEC per day. These figures assume gzip compression is enabled (default). For deployments with -no-compress, multiply by 4× to get uncompressed wire bandwidth.
| Environment | Endpoints | Wire / Endpoint / Scan | Daily HEC Upload | Monthly HEC Upload | Peak Mbps (1-hr window) |
|---|---|---|---|---|---|
| Small | 100 | ~125 KB | 12 MB | 370 MB | <0.03 Mbps |
| Medium | 1,000 | ~125 KB | 120 MB | 3.6 GB | ~0.3 Mbps |
| Large | 10,000 | ~125 KB | 1.2 GB | 36 GB | ~2.7 Mbps |
| Enterprise | 50,000 | ~125 KB | 6 GB | 180 GB | ~13 Mbps |
* ~125 KB/endpoint = ~500 KB uncompressed at 75% gzip reduction. Peak Mbps assumes all endpoint scans complete within a 1-hour window.
| Environment | Hosts Scanned | Wire / Host / Scan | Daily HEC Upload | Monthly HEC Upload | Peak Mbps (1-hr window) |
|---|---|---|---|---|---|
| Small | 100 | ~250 KB | 24 MB | 720 MB | <0.05 Mbps |
| Medium | 1,000 | ~250 KB | 240 MB | 7.2 GB | ~0.5 Mbps |
| Large | 10,000 | ~250 KB | 2.4 GB | 72 GB | ~5.3 Mbps |
| Enterprise | 50,000 | ~250 KB | 12 GB | 360 GB | ~27 Mbps |
* ~250 KB/host = ~1 MB uncompressed at 75% gzip reduction. Does not include probe traffic to target hosts (see table above).
Scanner runs locally on each managed endpoint via BigFix, Intune, or similar. Each endpoint independently uploads its own compressed scan data to Splunk HEC.
splunk-hec:8088 — firewall rules required-jitter 3600) to avoid synchronized bursts at the HEC receiverA single scanner machine (or small fleet) performs remote port scans against a target host list. All HEC traffic flows from the scanner machine to Splunk.
-splunkbatchsize 1000 to reduce request count for large scansThe default gzip setting reduces HEC upload bandwidth by 75%. Only disable (-no-compress) if a proxy explicitly strips Content-Encoding headers before forwarding to Splunk. Disabling adds ~4× bandwidth cost.
For 10,000+ endpoints running daily, the 1-hr peak of ~2.7 Mbps (compressed) is manageable but confirm your HEC endpoint can sustain the concurrent connection rate. Use scan scheduling tools to spread start times across a 2–4 hour window.
The tychon:pqc_inventory sourcetype dominates event count for remote port scans (10–40 events per TLS port). On servers with many TLS services (e.g., Kubernetes clusters, API gateways), a single host scan can exceed 1,000 events. Consider weekly instead of daily frequency for high-service-density targets.
Browser extensions change infrequently. Consider scanning with -scan-browser-extensions weekly rather than daily — extension inventory rarely changes day-to-day and a weekly scan adds only 30–60% of the daily bandwidth cost over a month.
security or cryptographic-analyzer index# Track certificate changes over time
sourcetype=tychon-acdi:* asset_type=certificate
| eval cert_key=dest_ip + ":" + dest_port + ":" + cert_subject_cn
| stats values(_time) as scan_times,
values(security_score) as security_scores,
values(certificate_status) as statuses,
values(certificate_days_until_expiry) as expiry_days
by cert_key, cryptographic_analyzer_source_id
| eval lifecycle_events=mvcount(scan_times),
score_variance=max(security_scores) - min(security_scores)
| where lifecycle_events > 1
| sort score_variance desc
# Analyze cipher security across network segments
sourcetype=tychon-acdi:*
| rex field=dest_ip "(?<network_segment>\d+\.\d+\.\d+)\.\d+"
| stats avg(security_score) as avg_score,
count(eval(pqc_vulnerable==true)) as pqc_vulnerable,
count(eval(security_score < 50)) as weak_crypto,
values(cipher_info.algorithm) as algorithms,
dc(dest_ip) as unique_hosts
by network_segment
| eval pqc_risk_pct=round((pqc_vulnerable/unique_hosts)*100, 1),
weak_crypto_pct=round((weak_crypto/unique_hosts)*100, 1)
| sort avg_score asc
# Track new asset discoveries
sourcetype=tychon-acdi:*
| stats earliest(_time) as first_seen by cryptographic_analyzer_source_id, asset_type, host, dest_ip
| eval days_since_discovery=round((now()-first_seen)/86400, 1)
| where days_since_discovery <= 7
| eval discovery_date=strftime(first_seen, "%Y-%m-%d %H:%M")
| table discovery_date, days_since_discovery, asset_type, host, dest_ip, cryptographic_analyzer_source_id
| sort first_seen desc