Cryptographic Data Fields Reference

@timestamp

date-time

No

Pre-insert-processing

The last time this document was inserted into OpenSearch. Provided by indexing service.

first_found

date-time

No

Post-insert processing

The first time this document was inserted into OpenSearch.

version

string

Yes

Sensor

Schema version in MAJOR_MINOR_PATCH format, underscore-delimited. e.g. "3_5_0"

object

object

No*

Pre-insert-processing

High-level summary of the finding derived from observation and crypto.

observation

object

Yes

Sensor / Unified Sensor

All non-cryptographic context about the finding.

crypto

object

Yes

Sensor / Unified Sensor

Cryptographic details of the finding. Exactly one subtype must be present.

analysis

object

No*

Pre-insert / Postprocessing

Policy, priority, and cryptographic analysis results.

*Planned to be required in future version

labels

array

No

Sensor

Scan-level custom key-value metadata. Not mapped in OpenSearch.

custom

object

No

Custom Sensors

Custom sensor-specific fields. Mapped in OpenSearch; can be used for visualization.

_unmapped

object

No

Data Conversion Tool

Fields that could not be migrated to the new schema. Not mapped in OpenSearch.

object.summary

string

Yes

Human-readable summary of the finding. Pattern: "<type>: <name>-<parameters>". See format rules below.

object.fingerprint

string

Yes

SHA256 hash of the cryptographic object itself, independent of location. The same certificate found in two different places will have the same fingerprint but different UIDs. Lowercase hex, 64 chars.

object.type

string

Yes

Type of the cryptographic object. See object.type enum.

object.subtype

string

No

Subtype of the cryptographic object. See object.subtype enum.

object.uid

string

Yes

Unique ID for this specific finding in OpenSearch. Calculated as SHA256(sensor.type + observation.source.location + object.fingerprint). Lowercase hex, 64 chars.

object.resolution

object

No

Resolution status of this finding.

object.resolution.resolved

boolean

Yes (if present)

false = object is still present in the infrastructure. true = object has been removed.

object.resolution.resolved_date

date-time

No

Date when the object was removed from the infrastructure.

object.resolution.reason

string

No

Reason for resolution.

Algorithm

"Algorithm: <NAME>"

"Algorithm: ECC-BRAINPOOL-P224R1"

X.509 Certificate

"Certificate: <subject_cn>-<key_algo>-<sig_algo>"

"Certificate: AGSclient1902-ECC-ECDSA-SHA256"

Cryptographic Key

"Key: <type>-<ALGORITHM>-<size>"

"Key: private-RSA-2048", "Key: private-ECC-256"

Keystore

"Keystore: <type>"

"Keystore: file-pfx"

Cryptographic Token

"JWT Token: <name>-<algorithm>"

"JWT Token: Jane Doe-HS256"

Cryptographic Library

"Library: <name>"

"Library: bearssl"

Cryptographic Protocol

(object block not present for protocol documents)

—

DB

(object block not present for db documents)

—

observation.sensor.type

string

Yes

Sensor type, e.g. "Host Filesystem", "GIT Repository", "Network Sensor", "File Upload", "MSSQL Database Sensor"

observation.sensor.name

string

Yes

Sensor display name. Typically mirrors type.

observation.sensor.sid

string

Yes

Sensor ID. Default "" if not applicable.

observation.sensor.eid

string

Yes

Execution ID for this sensor run. Default "" if not applicable.

observation.sensor.msg_sequence

integer

No

Message sequence number within this execution.

observation.sensor.exec_type

string

No

How the sensor was executed. Enum: "Platform", "API", "Remote".

observation.source.type

string

Yes

Type of source system. See observation.source.type enum.

observation.source.name

string

Conditional

Unique name of the source (hostname, repo URL, filename). Required when ip is not present.

observation.source.ip

string (IP)

Conditional

Source IP address. Required when name is not present.

observation.source.location

string

No

Full unique location of the asset within the infrastructure. Format depends on source type — see Location Format table below.

observation.source.location_short

string

No

Display-friendly short version of the location.

observation.source.branch

string

No

Repository branch where the asset was found. GIT sources only.

observation.source.uid

string

No

Unique ID assigned to this object by the source system.

observation.source.port

integer

No

Port number. Network and protocol sources only.

observation.source.os

string

No

Operating system of the machine where the asset was found. Host-based sensors only.

observation.source.client_ip

string (IP)

No

Client IP. Used for network sniffing where the sensor is not the client.

observation.source.interface_ip

array[IP]

No

Network interface IPs of the source machine.

observation.source.interface_ip_type

string

No

Whether the interface IPs are "Private" or "Public".

observation.source.process

string

No

Process name where the asset was found. Network sources only.

observation.source.app_name

string

No

Application name. SSH protocol sources only, e.g., "SSH-2.0-OpenSSH_10.2"

observation.source.host

string

No

Hostname. Network sources only.

observation.source.hash

string

No

SHA256 hash of the source file. File Upload sources only.

observation.source.start

object

No

Start position in source code: { line, col, offset }. Source Code Repository only.

observation.source.end

object

No

End position in source code: { line, col, offset }. Source Code Repository only.

observation.source.snippet

string

No

Code snippet where the asset appears. Source Code Repository only.

Host

"<hostname>:file://<absolute_path>"

"<absolute_path>"

Source Code Repository

"<repo_url>:<branch>:<relative_path>/"

"<relative_path>"

Network

"<host>:<port>/<process>"

"network://<process>:<port>"

File Upload

Full storage URL (e.g. S3 URL)

Filename only

observation.file.path

string

Yes

Absolute file path. No file:// prefix.

observation.file.name

string

Yes

Filename including extension. e.g. "root.pem"

observation.file.directory

string

Yes

Directory path of the file. No file:// prefix.

observation.file.extension

string

Yes

File extension without dot, e.g., "pem", "p12", "txt"

observation.file.size

integer

Yes

File size in bytes. Must be ≥ 0.

observation.file.in_archive

boolean

No

Whether this file is inside an archive. Default false.

observation.file.offset

integer

No

Byte offset within the file where the asset starts.

observation.file.type

string

No

File type enriched by the backend, e.g., "Crypto", "Library", "Config", "Source"

observation.file.owner

string

No

File owner username.

observation.file.path_type

string

No

Semantic path type, e.g., "ssh_server_keys", "ssh_authorized_keys"

observation.file.hash_sha256

string

No

SHA256 hash of the file contents. Lowercase hex, 64 chars.

observation.file.created

date-time

No

File creation time. Use "1970-01-01T00:00:00Z" when unavailable.

observation.file.modified

date-time

No

Last modification time.

observation.file.access

date-time

No

Last access time.

observation.file.permissions

object

No

POSIX permissions. Contains owner, group, and other sub-objects, each with name (string), rights (array of strings), value (string).

observation.file.acl

object

No

Access Control List entries keyed by entity type. Each entry is an array of { name, value, rights[] }. Omit if empty.

observation.file.metadata

object

No

Additional file metadata. Not mapped in OpenSearch.

observation.file.archive

object

No

When the file is inside an archive: { path, name, directory, extension, type }. All five fields required if present.

crypto.algorithm.name

string

Yes

Algorithm name. Lowercase with - as space separator, e.g., "rsa", "aes", "ecdsa", "sha2-256", "ecc-brainpool-p224r1"

crypto.algorithm.function

string

Yes

Primary cryptographic function of the algorithm. See algorithm.function enum.

crypto.algorithm.type

string

Yes

Cryptosystem classification. See common.cryptosystem_type enum.

crypto.algorithm.purpose

string

No

Whether this is a "usage" or "implementation" instance.

crypto.algorithm.fingerprint_sha256

string

Yes

SHA256 fingerprint of the algorithm object. Lowercase hex, 64 chars.

crypto.algorithm.oid

string

No

OID of the algorithm.

crypto.algorithm.application_context

string

No

Operational context where this algorithm is used. See algorithm.application_context enum.

crypto.algorithm.parameters

object

No

Algorithm parameters. May contain: key_size, feedback_size, block_size, mode, curve, padding, digest_size, digest, cipher, parameter_set, pbkdf2_count, salt_size, bcrypt_cost.

crypto.algorithm.library_name

string

No

Name of the library implementing this algorithm.

crypto.algorithm.library_language

string

No

Programming language of the implementing library.

crypto.x509.fingerprint_sha256

string

Yes

SHA256 fingerprint of the certificate. Lowercase hex, 64 chars.

crypto.x509.fingerprint_sha1

string

Yes

SHA1 fingerprint of the certificate. Lowercase hex, 40 chars.

crypto.x509.self_signed

boolean

Yes

true if the certificate is self-signed.

crypto.x509.serial_number

string

Yes

Certificate serial number. Uppercase hex, no separators, e.g., "FFBDE2D9BCA94AED"

crypto.x509.signature_algorithm

string

Yes

Signature algorithm in normalized uppercase form, e.g., "ECDSA-SHA256", "SHA256WithRSAEncryption"

crypto.x509.signature_value

string

No

Raw signature bytes. Uppercase hex.

crypto.x509.subject

object

Yes

Certificate subject. See Subject / Issuer fields.

crypto.x509.issuer

object

Yes

Certificate issuer. See Subject / Issuer fields.

crypto.x509.public_key

key object

Yes

The subject public key. Has the same structure as crypto.key.

crypto.x509.exp

date-time

Yes

Certificate expiry (notAfter).

crypto.x509.nbf

date-time

No

Certificate valid-from (notBefore).

crypto.x509.version

integer

No

X.509 version. Typically 3.

crypto.x509.usage

string

No

Calculated certificate usage. Enum: "CA", "Intermediate CA", "End-Entity".

crypto.x509.usage_details

array[string]

No

Detailed usage. Values: "URL", "Timestamp", "OCSP", "Code Signing".

crypto.x509.extensions

object

No

Parsed certificate extensions. See Extensions.

common_name

CN

Common name

organization

O

Organization name

organizational_unit

OU

Organizational unit

locality

L

Locality or city

state_or_province

S

State or province

country

C

Two-letter country code

basic_constraints

2.5.29.19

oid, ca (bool), critical

path_length (int)

key_usage

2.5.29.15

oid, value (string[]), critical

—

extended_key_usage

2.5.29.37

oid, value (string[]), critical

—

subject_alternative_name

2.5.29.17

oid, value (string[]), critical

—

issuer_alternative_name

2.5.29.18

oid, value (string[]), critical

—

authority_key_identifier

2.5.29.35

oid, critical

key_identifier (hex), authority_cert_issuer (string[]), authority_cert_serial_number (string)

subject_key_identifier

2.5.29.14

oid, value (hex), critical

—

custom

any

—

Array of { oid, value[] } for unknown/unsupported extensions

crypto.key.algorithm

string

Yes

Key algorithm. Uppercase, e.g., "RSA", "ECC", "AES"

crypto.key.type

string

Yes

Key type. Enum: "public", "private", "secret", "unknown", ""

crypto.key.classification

string

Yes

Cryptographic classification. Enum: "asymmetric", "symmetric", "unknown", ""

crypto.key.size

integer

Yes

Key size in bits, e.g., 256, 2048, 4096

crypto.key.format

string

Yes

Key encoding format, e.g., "pem", "ssh", "der", "hsm", "azkeys"

crypto.key.fingerprint_sha256

string

Yes

SHA256 fingerprint of the key. Lowercase hex, 64 chars.

crypto.key.is_encrypted

boolean

Yes

Whether the key is encrypted at rest.

crypto.key.ecc

object

No

ECC-specific parameters. Fields: curve (OID string), x (uppercase hex), y(uppercase hex), Gx (uppercase hex), Gy (uppercase hex).

crypto.key.rsa

object

No

RSA-specific parameters. Fields: modulus (uppercase hex), public_exponent(uppercase hex).

crypto.key.dsa

object

No

DSA-specific parameters. Fields: p (string), q (string).

crypto.key.meta

object

No

Extra metadata from third-party vaults or HSMs. See Key Meta fields below.

meta.state

string

Key lifecycle state. Enum: "pre-activation", "active", "suspended", "deactivated", "compromised", "destroyed"

meta.operations

array[string]

Permitted operations. Values: "sign", "verify", "encrypt", "decrypt", "wrap", "unwrap", "agreement", "derive", "encapsulate", "decapsulate"

meta.attributes

array[string]

Additional attributes applied to the key.

meta.iat

date-time

Key creation time.

meta.updated

date-time

Last update time.

meta.exp

date-time

Key expiry time.

meta.nbf

date-time

Key valid-from time.

meta.tags

object

Free-form tags. Not mapped in OpenSearch.

crypto.keystore.type

string

Yes

Keystore type, in <source>-<format> format, e.g., "file-pfx", "file-jks", "file-openssh", "file-putty"

crypto.token.algorithm

string

Yes

Signing or encryption algorithm, e.g., "HS256", "RS256", "ES256"

crypto.token.type

string

Yes

Token type. Enum: "JWT", "JWE", ""

crypto.token.subtype

string

Yes

Token subtype. Enum: "Static Token", "Automated App Token"

crypto.token.fingerprint_sha256

string

Yes

SHA256 fingerprint of the token. Lowercase hex, 64 chars.

crypto.token.fingerprint_sha1

string

No

SHA1 fingerprint of the token. Lowercase hex, 40 chars.

crypto.token.header

object

Yes

Token header. Must contain either (alg + enc) or (alg + typ). Additional fields allowed.

crypto.token.header.alg

string

Yes

Signing algorithm declared in the header.

crypto.token.header.typ

string

Conditional

Token type ("JWT"). Required if enc is absent.

crypto.token.header.enc

string

Conditional

Encryption algorithm (JWE). Required if typ is absent.

crypto.token.payload

object

Yes

Token payload.

crypto.token.payload.iss

string

No

Issuer (RFC 7519).

crypto.token.payload.sub

string

No

Subject (RFC 7519).

crypto.token.payload.aud

string

No

Audience (RFC 7519).

crypto.token.payload.exp

date-time

No

Expiration time (RFC 7519).

crypto.token.payload.nbf

date-time

No

Not before (RFC 7519).

crypto.token.payload.iat

date-time

No

Issued at (RFC 7519).

crypto.token.payload.jti

string

No

JWT ID (RFC 7519).

crypto.token.payload.other

object

No

All non-RFC 7519 payload fields. e.g. email, roles, tenant_id, scope, nonce, custom claims. Free-form.

crypto.library.name

string

Yes

Library name. Lowercase, e.g.,"openssl", "bearssl", "mbedtls", "botan", "cryptopp"

crypto.library.version

string

Yes

Library version. Underscore-separated, e.g., "1_1_1", "3_0_0". Use "" if unknown.

crypto.library.semantic_version

string

No

Semantic version extracted from version. Pattern: \d+\.\d+\.\d+. e.g. "1.1.1"

crypto.library.language

string

No

Programming language of the library.

crypto.library.system

string

No

Operating system or platform.

crypto.protocol.name

string

Yes

Protocol name, e.g., "TLS", "SSH"

crypto.protocol.ciphers

array[string]

Yes

List of cipher suites supported.

crypto.protocol.version

array[string]

No

Protocol version(s), e.g., ["TLSv1.2"], ["SSHv2.0"]

crypto.protocol.macs

array[string]

No

MAC algorithms. SSH only.

crypto.protocol.kex_algorithms

array[string]

No

Key exchange algorithms.

crypto.protocol.host_key_algorithms

array[string]

No

Host key algorithms. SSH only.

crypto.protocol.negotiated_protocol

string

No

The actually negotiated protocol version. Default "".

crypto.db.encryption

object

No

Details of the database encryption. See Encryption fields below.

crypto.db.x509

x509 object

No

Certificate used to protect the database encryption key. Has the same structure as crypto.x509.

encryption.algorithm

string

Yes

Encryption algorithm, e.g., "AES-256"

encryption.db_name

string

Yes

Name of the encrypted database.

encryption.method

string

No

Encryption method, e.g., "TDE"

encryption.dek_created

date-time

No

When the Data Encryption Key was created.

encryption.protector_type

string

No

Type of key protector, e.g., "CERTIFICATE"

encryption.protector_fingerprint

string

No

Fingerprint of the key protector. Lowercase hex.

encryption.status

string

No

Encryption status, e.g., "ENCRYPTED"

analysis.policy.init

boolean

Yes

Whether the policy has been initialized for this object.

analysis.policy.init_version

integer

Yes

Policy initialization version. e.g. 30500 for schema 3_5_0.

analysis.policy.flag

array[string]

Yes

Policy flags triggered for this finding. See analysis.policy.flag enum.

analysis.policy.cve

array[string]

Yes

CVE IDs related to this finding. Empty array if none.

analysis.policy.score_value

number

Yes

Combined cryptographic score (0–10). 0=Compliant, 1–4=Low, 5–7=Medium, 8–10=High.

analysis.policy.priority_score

number

Yes

Relevancy / priority of the finding (0–3). 0=Out-of-Scope, 1=Low, 2=Potentially Relevant, 3=Relevant.

analysis.policy.severity_score

number

Yes

Technical severity (0–3). 0=No Severity, 1=Low, 2=Medium, 3=High.

analysis.policy.severity

object

Yes

Map of { "<flag_name>": <severity_score_int> } for each triggered flag.

analysis.policy.recommendation

string

No

Human-readable remediation guidance.

analysis.policy_pqc.priority_score

number

Yes

PQC relevancy score (0–3). Same scale as policy.priority_score.

analysis.policy_pqc.severity_score

number

Yes

PQC technical severity. 0=Quantum-Safe, 1=Extremely Resistant, 2=Highly Resistant, 8=Highly Vulnerable, 9=Severely Vulnerable, 10=Insecure.

analysis.policy_pqc.algorithm

string

No

The algorithm being assessed, e.g., "rsa", "ecc", "ml-dsa"

analysis.policy_pqc.description

string

No

Human-readable PQC assessment description.

analysis.policy_pqc.flag

array[string]

No

PQC vulnerability flags. See analysis.policy_pqc.flag enum.

analysis.policy_pqc.is_pqc_algorithm

boolean

No

Whether the algorithm is post-quantum safe.

analysis.policy_pqc.key_size

integer

No

Key size in bits used for quantum vulnerability assessment.

analysis.policy_pqc.logical_qbits_required

integer

No

Estimated number of logical qubits a quantum computer would need to break this object.

analysis.cryptography.type

string

Yes

Underlying crypto system type: "symmetric", "asymmetric", "digest", "mixed", "".

analysis.cryptography.algorithms

array[string]

Yes

Names of the algorithms in use.

analysis.cryptography.pq_types

string

Yes

Post-quantum type of the weakest underlying algorithm. See common.cryptosystem_type enum.

analysis.cryptography.mathematical_basis

string

No

Mathematical foundation. See algorithm.mathematical_basisenum.

analysis.cryptography.security_strength

integer

No

Classical security strength in bits, e.g., 128, 256.

analysis.cryptography.quantum_security_strength

integer

No

Quantum security strength in bits.

analysis.cryptography.nist_security_level

integer

No

NIST security level (1–5).

analysis.priority.is_high_priority_location

boolean

True = This finding is at a high-priority location.

analysis.priority.is_high_priority_object

boolean

True = This finding is a high-priority object type.

analysis.priority.is_low_priority_location

boolean

True = This finding is at a low-priority location.

analysis.priority.is_low_priority_object

boolean

True = This finding is a low-priority object type.

analysis.priority.priority

object

Priority details object.

analysis.correlation.public_key

string

SHA256 fingerprint of the correlated public key (used to link private keys to their certificates).

analysis.issuer.is_known

boolean

Whether the certificate issuer is a known/trusted CA.

analysis.issuer.is_corporate

boolean

Whether the certificate issuer is a corporate CA.

analysis.subject.is_known

boolean

Whether the certificate subject is a known entity.

analysis.subject.is_corporate

boolean

Whether the certificate subject is a corporate entity.

analysis.vendor.is_known

boolean

Whether the vendor is known.

analysis.vendor.is_corporate

boolean

Whether the vendor is a corporate entity.

analysis.deduplication.has_duplicate_file

boolean

Whether another finding exists with the same file hash or location.

analysis.is_shortlived

boolean

Whether the certificate validity period is under 90 days (exp - nbf < 90 days).

labels

array

No

Scan-level custom metadata. Array of { key: string, value: string } objects.

custom

object

Yes

Custom sensor-specific fields. Free-form. Can be used for OpenSearch visualization.

_unmapped

object

No

Catch-all for fields with no mapping in the schema (e.g., database metadata in DB documents).

transport

array

No

Raw payload used for sensor-to-Unified-Sensor transport. Each item has the format: { data: string, type: "x509"|"db"|"key", format: string }. Dropped before storage.

date-time

ISO 8601 UTC

Ends with Z. No milliseconds.

"2026-03-28T22:53:12Z"

fingerprint_sha256

Lowercase hex

^[a-f0-9]{64}$, 64 chars

"98ae1479...a30132"

fingerprint_sha1

Lowercase hex

^[a-f0-9]{40}$, 40 chars

"fa284b81...373ba"

hex (key params, signature)

Uppercase hex

^[A-F0-9]+$

"D3FFE2E2...CBFF"

IP

String

^[0-9a-fA-F.:]+$

"10.0.1.12", "::1"

base64

Standard base64

^[a-zA-Z0-9+/=]+$

—

"2026-03-28T22:54:18.279804541+00:00"

"2026-03-28T22:54:18Z"

"1970-01-01T00:00:00.000+0000"

"1970-01-01T00:00:00Z"

"2023-08-29T21:01:18.000+0000"

"2023-08-29T21:01:18Z"

object.fingerprint, object.uid

Lowercase

crypto.key.fingerprint_sha256

Lowercase

crypto.x509.fingerprint_sha256, fingerprint_sha1

Lowercase

crypto.db.encryption.protector_fingerprint

Lowercase

observation.file.hash_sha256

Lowercase

crypto.x509.serial_number

Uppercase

crypto.x509.signature_value

Uppercase

RSA modulus, public_exponent

Uppercase

ECC x, y, Gx, Gy

Uppercase