.png){kind=logo}
Search API
This guide describes how to use the Keyfactor AgileSec Platform REST API to query cryptographic findings stored in the AgileSec findings database. This guide explains how to authenticate to the API, construct search queries, and interpret response data.
Overview
The Search API allows developers to query cryptographic findings stored in the AgileSec findings database.
Common use cases include identifying high-severity findings, retrieving certificates from specific hosts, and generating compliance summaries across multiple sources.
API Access
Entry Point
Base URL (entry point)
CODE
https://<agilesec-plantform-url>/searchdbAuthentication
The Search API supports four authentication methods: Basic Auth, mTLS, OAuth 2.0, or JWT. Use whichever matches your OpenSearch configuration.
Username / Password (Basic Auth)
CODE
curl \
-u "<username>:<password>" \
-H "Content-Type: application/json" \
-X PUT "https://<agilesec-platform-url>/searchdb/..."mTLS (Mutual TLS)
CODE
curl \
--cert <cert_path> \
--key <key_path> \
--cacert <root_ca_path> \
-H "Content-Type: application/json" \
-X PUT "https://<agilesec-platform-url>/searchdb/..."OAuth2 Bearer Token
Note: Requires OpenSearch to be configured with an OAuth2 provider. See OpenSearch documentation for setup instructions.
CODE
curl \
-H "Authorization: Bearer <your-oauth2-token>" \
-H "Content-Type: application/json" \
-X PUT "https://<agilesec-platform-url>/searchdb/..."JWT Bearer Token
Follow these steps to obtain a JWT token from AgileSec Platform UI:
Log in to the AgileSec Analytics platform
Navigate to Access Tokens â Data Access Token
Generate and copy the data access token:
Include the token as a Bearer token in all API requests using the Authorization header:
CODE
Authorization: Bearer <your-access-token>curl Example
Example of executing a query with curl and returning all documents:
JSON
curl \
-H "Authorization: Bearer <your-access-token>" \
-X POST "https://<agilesec-platform-url>/searchdb/agilesec.<org-index-prefix>.v3.event-*/_search" \
-d '{"query": {"match_all": {}}}'Developer UI
You can test queries from the embedded developer UI by going to Advanced Analytics Dashboard -> Left Menu â Dev Tools.
API Queries
Search Structure
A Search API call is composed of:
The index to query
The
/_searchAPIOptional parameters like
fromandsizefor paginationThe query used to filter events
Simple Search Example
The following search will return the first 200 cryptographic events present within the index agilesec.<org-index-prefix>.v3.event-* without filtering.
From Dev Tools:
JSON
GET agilesec.<org-index-prefix>.v3.event-*/_search?from=0&size=200
{
"query": { "match_all": {} }
}Using curl:
CODE
curl "https://<agilesec-platform-url>/searchdb/agilesec.<org-index-prefix>.v3.event-*/_search?from=0&size=200" \
-H "Authorization: Bearer <token>" | jq
Index Name Structure
All index names are prefixed with agilesec followed by the organization domain with dots replaced by underscores, index version, and the event type.
Org domain:
kf-agilesec.comOrg index prefix:
kf-agilesec_com(replace.with_)
As a result, all indexes follow this pattern: agilesec.<org-index-prefix>.v3.event-<type>
Example org domain | Example index |
|---|---|
|
|
âšī¸ All examples in this guide use
<org-index-prefix>. Replace it with your organisation's domain with dots replaced by underscores.
Index Query Example
Run the following query to view the list of all indexes you have access to:
From Dev Tools:
CODE
GET /_resolve/index/agilesec.*Using curl:
CODE
curl "https://<agilesec-platform-url>/searchdb/_resolve/index/agilesec.*" \
-H "Authorization: Bearer <token>" | jq
Making API Calls
You can call the API directly from the Dev Tool in the Advanced Dashboard or by using curl.
From Dev Tools:
Using curl:
CODE
curl "https://<agilesec-platform-url>/searchdb/agilesec.<org-index-prefix>.v3.event-*/_search?from=0&size=200" \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{
"query": { "match_all": {} }
}'| jqQuery Fields
All fields present in the AgileSec Analytics index can be used to build queries, see Cryptographic Data Fields Reference.
Response format (high level)
The query returns cryptographic events as JSON in the hits.hits array. Each element in hits.hits includes a _source field containing the event JSON.
JSON
{
"took": 10,
"timed_out": false,
"_shards": { "total": 6, "successful": 6, "skipped": 0, "failed": 0 },
"hits": {
"total": { "value": 32, "relation": "eq" },
"max_score": 2.0,
"hits": [
{
"_index": "agilesec.<org-index-prefix>.v3.event-x509",
"_id": "8f6e8fe9868c8049a95d8363eec201d77e9028bf7a757bc2389e19670b842422",
"_score": 2.0,
"_source": { ... }
}
]
}
}
Example Queries
Get unique sources
This query retrieves the list of unique sources of type host and network with a last scan date from now to 30 days.
JSON
GET agilesec.<org-index-prefix>.v3.event-*/_search
{
"query": {
"bool": {
"must": [
{ "terms": { "observation.source.type.keyword": ["Host", "Network"] } },
{ "range": { "@timestamp": { "gte": "now-30d" } } }
]
}
},
"aggs": {
"source": {
"terms": { "field": "observation.source.name.keyword", "size": 100000 }
}
},
"_source": false,
"size": 0
}Compliance issues by sources
This query retrieves the list of unique sources and related compliance issues. Also filters for findings with a priority score of 2 or higher found within the last 360 days.
JSON
POST agilesec.<org-index-prefix>.v3.event-*/_search?track_total_hits=true
{
"query": {
"bool": {
"must": [
{ "term": { "observation.source.type.keyword": "Host" } },
{ "range": { "@timestamp": { "gte": "now-360d" } } },
{ "range": { "analysis.policy.priority_score": { "gte": 2 } } }
]
}
},
"aggs": {
"unique_sources": {
"terms": {
"field": "observation.source.name.keyword",
"order": { "_count": "desc" },
"size": 100
},
"aggs": {
"unique_policy_flags": {
"terms": {
"field": "analysis.policy.flag.keyword",
"order": { "_count": "desc" },
"size": 50
}
}
}
}
},
"size": 0
}
Get all certificates
This query gets all X509 Certificates and returns a total of 100 documents.
JSON
GET agilesec.<org-index-prefix>.v3.event-x509/_search
{
"query": {
"bool": {
"must": [
{ "term": { "object.type.keyword": "X.509 Certificate" } }
]
}
},
"size": 100
}Get all certificates, return only selected fields
This query gets all X509 Certificates. Returns 100 documents with only the given specific "fields".
JSON
GET agilesec.<org-index-prefix>.v3.event-x509/_search
{
"query": {
"bool": {
"must": [
{ "term": { "object.type.keyword": "X.509 Certificate" } }
]
}
},
"fields": [
"crypto.x509.subject.common_name",
"observation.source.name.keyword",
"analysis.policy.flag.keyword"
],
"_source": false,
"size": 100
}Get high-severity Certificates from a specific host
Returns up to 100 X.509 Certificate findings with a severity score of 3 (high) from a specific host.
JSON
GET agilesec.<org-index-prefix>.v3.event-x509/_search
{
"query": {
"bool": {
"must": [
{ "term": { "object.type.keyword": "X.509 Certificate" } },
{ "match": { "analysis.policy.severity_score": 3 } },
{ "match": { "observation.source.name.keyword": "LAPTOP-HS9RI16D" } }
]
}
},
"fields": [
"crypto.x509.subject.common_name",
"observation.source.name.keyword",
"analysis.policy.flag.keyword"
],
"_source": false,
"size": 100
}Get All End-Entity Certificates with a high severity from a specific host
Returns up to 100 End-Entity X.509 Certificates with a severity score of 3 from a specific host, excluding Code Signing, Timestamp, and OCSP certificates.
JSON
GET agilesec.<org-index-prefix>.v3.event-x509/_search
{
"query": {
"bool": {
"must": [
{ "term": { "object.type.keyword": "X.509 Certificate" } },
{ "match": { "analysis.policy.severity_score": 3 } },
{ "match": { "observation.source.name.keyword": "LAPTOP-HS9RI16D" } },
{ "term": { "crypto.x509.usage.keyword": "End-Entity" } }
],
"must_not": [
{ "terms": { "crypto.x509.usage_details": ["Code Signing", "Timestamp", "OCSP"] } }
]
}
},
"fields": [
"crypto.x509.subject.common_name",
"observation.source.name.keyword"
],
"_source": false,
"size": 100
}Query algorithms list
Returns algorithms matching a given list of algorithm names.
JSON
GET agilesec.<org-index-prefix>.v3.event-algorithm/_search?from=0&size=100
{
"query": {
"bool": {
"must": [
{ "terms": { "crypto.algorithm.name.keyword": ["RC2", "SIPHASH", "3DES", "BLOWFISH"] } }
],
"filter": {
"bool": {
"must": [
{ "term": { "object.type.keyword": "Algorithm" } }
]
}
}
}
}
}Query Results
The platform stores different event types in different indexes, but the response shape is consistent: hits.hits[] contains _sourcewith the full finding document.
X.509 Certificates
JSON
{
"took": 1,
"timed_out": false,
"_shards": {
"total": 4,
"successful": 4,
"skipped": 0,
"failed": 0
},
"hits": {
"total": {
"value": 10000,
"relation": "gte"
},
"max_score": 1,
"hits": [
{
"_index": "agilesec.qa-agilesec_com.v3.event-x509",
"_id": "4210ebb91dee79da14a812649d445cc1bd2bd1f885868609a6caaa96c565d4bb",
"_score": 1,
"_source": {
"@timestamp": "2026-04-01T01:25:01.792807286Z",
"first_found": "2026-03-31T22:30:42.909596076Z",
"observation": {
"file": {
"owner": "User",
"extension": ".pem",
"access": "2026-03-31T22:08:33Z",
"created": "1970-01-01T00:00:00Z",
"archive": {
"path": "big-container-test/latest/sha256__c79564e23c7f19ce5a061dd9a7453779cea48f2c54adb622366af90654fda0e9",
"extension": "",
"name": "sha256__c79564e23c7f19ce5a061dd9a7453779cea48f2c54adb622366af90654fda0e9",
"type": "",
"directory": "big-container-test/latest"
},
"type": "Crypto",
"directory": "app/new_two/certs",
"path": "app/new_two/certs/rsa_cert_test_2229.pem",
"size": 0,
"permissions": {
"owner": {
"rights": [
"read",
"write"
],
"name": "ec2-user",
"value": "1000"
},
"other": {
"rights": [
"read"
],
"name": "other"
},
"group": {
"rights": [
"read"
],
"name": "ec2-user",
"value": "1000"
}
},
"in_archive": true,
"name": "rsa_cert_test_2229.pem",
"modified": "2026-03-31T22:08:33Z"
},
"sensor": {
"eid": "69cc45d459a0dbe3f8f7b634",
"name": "",
"type": "JFROG Artifactory",
"msg_sequence": 815526,
"sid": "69cc45d459a0dbe3f8f7b635"
},
"source": {
"artifact": {
"repo_url": "https://keyfactordev.jfrog.io/artifactory/ali-test-1/",
"package": "ali-test-1",
"name": "sha256__c79564e23c7f19ce5a061dd9a7453779cea48f2c54adb622366af90654fda0e9",
"name_short": "sha256__",
"version": null
},
"location_short": "app/new_two/certs/rsa_cert_test_2229.pem",
"name": "keyfactordev.jfrog.io:ali-test-1",
"location": "keyfactordev.jfrog.io:ali-test-1:app/new_two/certs/rsa_cert_test_2229.pem/big-container-test/latest/sha256__c79564e23c7f19ce5a061dd9a7453779cea48f2c54adb622366af90654fda0e9",
"type": "Artifact Repository"
}
},
"analysis": {
"policy_pqc": {
"priority_score": 0,
"flag": [
"ifp_shor_attack"
],
"logical_qbits_required": 6000,
"description": "Integer Factorization Problem with 2048 key length may be broken with an estimated minimum of 6,000 logical qbits",
"severity_score": 8,
"algorithm": "RSAENCRYPTION",
"key_size": 2048
},
"priority": {
"is_low_priority_location": true,
"priority": {}
},
"policy": {
"severity": {
"certificate_self_signed_end_entity": 3
},
"priority_score": 1,
"init": true,
"init_version": 30500,
"flag": [
"certificate_self_signed_end_entity"
],
"cve": [],
"score_value": 4,
"severity_score": 3
}
},
"version": "3_5_0",
"crypto": {
"x509": {
"public_key": {
"size": 2048,
"is_encrypted": false,
"format": "pem",
"classification": "asymmetric",
"type": "public",
"algorithm": "RSAENCRYPTION",
"fingerprint_sha256": "0000000000000000000000000000000000000000000000000000000000000000"
},
"nbf": "2025-03-18T22:04:16Z",
"fingerprint_sha1": "47c2e588e2e3e04fe4b5e61f1e201201fef87885",
"subject": {
"country": [
"CA"
],
"organization": [
"ISG-2229"
],
"common_name": [
"ISG Certificate Performance test 2229"
],
"organizational_unit": [
"ISG"
]
},
"usage": "End-Entity",
"signature_algorithm": "RSA-SHA256",
"serial_number": "6468C68E31A9487ED868382DD6142CEA4C1DBFC0",
"exp": "2026-03-18T22:04:16Z",
"self_signed": true,
"issuer": {
"country": [
"CA"
],
"organization": [
"ISG-2229"
],
"common_name": [
"ISG Certificate Performance test 2229"
],
"organizational_unit": [
"ISG"
]
},
"fingerprint_sha256": "498259984d9f37d7885c5b3dee336d4a6c896fde85f9993fc2685ff215a25311"
}
},
"object": {
"summary": "Certificate: ISG Certificate Performance test 2229-RSAENCRYPTION-RSA-SHA256",
"uid": "4210ebb91dee79da14a812649d445cc1bd2bd1f885868609a6caaa96c565d4bb",
"subtype": "End-Entity",
"fingerprint": "498259984d9f37d7885c5b3dee336d4a6c896fde85f9993fc2685ff215a25311",
"type": "X.509 Certificate",
"resolution": {
"resolved": false
}
}
}
}
]
}
}Cryptographic Keys
JSON
{
"took": 1,
"timed_out": false,
"_shards": {
"total": 4,
"successful": 4,
"skipped": 0,
"failed": 0
},
"hits": {
"total": {
"value": 10000,
"relation": "gte"
},
"max_score": 1,
"hits": [
{
"_index": "agilesec.qa-agilesec_com.v3.event-key",
"_id": "6c26ac87ce5460901c2f881f750b9f64b03ce763b9f14b45335e063fef9a154c",
"_score": 1,
"_source": {
"@timestamp": "2026-04-01T01:36:10.758139774Z",
"first_found": "2026-03-31T22:06:29.27102422Z",
"observation": {
"file": {
"hash_sha256": "0f1c2054a21d3d745a296b3d069079648c5dd3c5eb714990ebd3f6d3b71b61b4",
"path": "pkix/src/test/resources/org/bouncycastle/openssl/test/data/rsa/openssl_rsa_des2_ofb.pem",
"extension": "pem",
"size": 0,
"in_archive": false,
"name": "openssl_rsa_des2_ofb.pem",
"type": "Crypto",
"directory": "pkix/src/test/resources/org/bouncycastle/openssl/test/data/rsa"
},
"sensor": {
"eid": "69cc455759a0dbe3f8f7b630",
"name": "",
"type": "GIT Repository",
"msg_sequence": 777,
"sid": "69cc455759a0dbe3f8f7b631"
},
"source": {
"uid": "7591599a1d0737f63362cec2660533e98fe2807a680aba07d03cecdea4974f57",
"location_short": "pkix/src/test/resources/org/bouncycastle/openssl/test/data/rsa/openssl_rsa_des2_ofb.pem",
"name": "https://github.com/tashiscool/bc-fips:master",
"location": "https://github.com/tashiscool/bc-fips:master:pkix/src/test/resources/org/bouncycastle/openssl/test/data/rsa/openssl_rsa_des2_ofb.pem/",
"type": "Source Code Repository",
"repository": {
"name": "bc-fips",
"url": "https://github.com/tashiscool/bc-fips"
},
"branch": "master"
}
},
"analysis": {
"policy_pqc": {
"priority_score": 0,
"flag": [
"ifp_shor_attack"
],
"logical_qbits_required": 6000,
"description": "Integer Factorization Problem with 2048 key length may be broken with an estimated minimum of 6,000 logical qbits",
"severity_score": 8,
"algorithm": "RSA",
"key_size": 2048
},
"deduplication": {
"has_duplicate_file": true
},
"priority": {
"is_low_priority_location": true,
"priority": {}
},
"policy": {
"severity": {
"private_key_in_source_code": 3
},
"priority_score": 1,
"init": true,
"init_version": 30500,
"flag": [
"private_key_in_source_code"
],
"cve": [],
"score_value": 4,
"severity_score": 3
}
},
"version": "3_5_0",
"crypto": {
"key": {
"size": 2048,
"is_encrypted": true,
"format": "pem",
"classification": "asymmetric",
"type": "private",
"algorithm": "RSA",
"fingerprint_sha256": "38e3093933070cf9a6579f3b45ad20846b6351f0465e4ab324cc6b009f63795f"
}
},
"object": {
"summary": "Key: private-RSA-2048",
"uid": "6c26ac87ce5460901c2f881f750b9f64b03ce763b9f14b45335e063fef9a154c",
"subtype": "Private Key",
"fingerprint": "38e3093933070cf9a6579f3b45ad20846b6351f0465e4ab324cc6b009f63795f",
"type": "Cryptographic Key",
"resolution": {
"resolved": false
}
}
}
}
]
}
}Keystore
JSON
{
"took": 0,
"timed_out": false,
"_shards": {
"total": 4,
"successful": 4,
"skipped": 0,
"failed": 0
},
"hits": {
"total": {
"value": 126,
"relation": "eq"
},
"max_score": 1,
"hits": [
{
"_index": "agilesec.qa-agilesec_com.v3.event-keystore",
"_id": "630ee45d210ce64e2eb57f10a9f77f2addaf31756b4a4844266f4608f059089a",
"_score": 1,
"_source": {
"@timestamp": "2026-04-01T01:42:34.887133265Z",
"first_found": "2026-03-31T22:07:36.023430089Z",
"observation": {
"file": {
"owner": "User",
"extension": "zip",
"access": "2026-03-28T18:41:05Z",
"created": "1970-01-01T00:00:00Z",
"type": "Archive",
"directory": "/home/ec2-user/data-migration-test/isg2x-tests.set/test.crypto.libraries/others",
"hash_sha256": "c64c78f10045d02e9e345ed702c3eb9965caefa9bb152d4e11c68ff91a1b6219",
"path": "/home/ec2-user/data-migration-test/isg2x-tests.set/test.crypto.libraries/others/wolfssl-4.1.0.zip",
"size": 0,
"permissions": {
"owner": {
"rights": [
"read",
"write"
],
"name": "ec2-user",
"value": "1000"
},
"other": {
"rights": [
"read"
],
"name": "other"
},
"group": {
"rights": [
"read"
],
"name": "ec2-user",
"value": "1000"
}
},
"in_archive": false,
"name": "wolfssl-4.1.0.zip",
"modified": "2023-08-29T21:03:51Z"
},
"sensor": {
"eid": "69cc459d59a0dbe3f8f7b632",
"name": "",
"type": "Host Filesystem",
"msg_sequence": 2538,
"sid": "69cc459d59a0dbe3f8f7b633"
},
"source": {
"location_short": "/home/ec2-user/data-migration-test/isg2x-tests.set/test.crypto.libraries/others/wolfssl-4.1.0.zip",
"name": "ip-10-200-110-244.us-east-2.compute.internal",
"location": "ip-10-200-110-244.us-east-2.compute.internal:file://home/ec2-user/data-migration-test/isg2x-tests.set/test.crypto.libraries/others/wolfssl-4.1.0.zip",
"type": "Host"
}
},
"analysis": {
"policy_pqc": {
"priority_score": 0,
"flag": [],
"logical_qbits_required": 0,
"description": "",
"severity_score": 0
},
"priority": {
"is_low_priority_location": true,
"priority": {}
},
"policy": {
"severity": {},
"priority_score": 1,
"init": true,
"init_version": 30500,
"flag": [],
"cve": [],
"score_value": 0,
"severity_score": 0
}
},
"version": "3_5_0",
"crypto": {
"keystore": {
"type": "file-pfx"
}
},
"object": {
"summary": "Keystore: file-pfx",
"uid": "630ee45d210ce64e2eb57f10a9f77f2addaf31756b4a4844266f4608f059089a",
"fingerprint": "f337aef5b94a9d232d077b23360ba9c6070b12ab62409b40717c1956f5ea3a8a",
"type": "Keystore",
"resolution": {
"resolved": false
}
}
}
}
]
}
}Libraries
JSON
{
"took": 0,
"timed_out": false,
"_shards": {
"total": 4,
"successful": 4,
"skipped": 0,
"failed": 0
},
"hits": {
"total": {
"value": 477,
"relation": "eq"
},
"max_score": 1,
"hits": [
{
"_index": "agilesec.qa-agilesec_com.v3.event-library",
"_id": "f3193cfcb77a3490fe0a6d4e976e2b0c76b28c0874e15a96d69323f2864ddd6b",
"_score": 1,
"_source": {
"@timestamp": "2026-04-01T01:42:35.033414257Z",
"first_found": "2026-03-31T22:07:53.587086927Z",
"observation": {
"file": {
"owner": "User",
"extension": ".class",
"access": "2026-03-28T18:41:05Z",
"created": "1970-01-01T00:00:00Z",
"archive": {
"path": "home/ec2-user/data-migration-test/isg2x-tests.set/test.crypto.libraries/others/bcprov-ext-jdk18on-171.jar",
"extension": ".jar",
"name": "bcprov-ext-jdk18on-171.jar",
"type": "",
"directory": "home/ec2-user/data-migration-test/isg2x-tests.set/test.crypto.libraries/others"
},
"type": "Source",
"directory": "org/bouncycastle/jcajce/provider/asymmetric/x509",
"hash_sha256": "f731befaaf29541f0a1f52f3b1aa66652d66619a939409413eef411340b2eea3",
"path": "org/bouncycastle/jcajce/provider/asymmetric/x509/X509CRLObject.class",
"size": 0,
"permissions": {
"owner": {
"rights": [
"read",
"write"
],
"name": "ec2-user",
"value": "1000"
},
"other": {
"rights": [
"read"
],
"name": "other"
},
"group": {
"rights": [
"read"
],
"name": "ec2-user",
"value": "1000"
}
},
"in_archive": true,
"name": "X509CRLObject.class",
"modified": "2023-08-29T21:03:46Z"
},
"sensor": {
"eid": "69cc459d59a0dbe3f8f7b632",
"name": "",
"type": "Host Filesystem",
"msg_sequence": 7567,
"sid": "69cc459d59a0dbe3f8f7b633"
},
"source": {
"location_short": "org/bouncycastle/jcajce/provider/asymmetric/x509/X509CRLObject.class!home/ec2-user/data-migration-test/isg2x-tests.set/test.crypto.libraries/others/bcprov-ext-jdk18on-171.jar",
"name": "ip-10-200-110-244.us-east-2.compute.internal",
"location": "ip-10-200-110-244.us-east-2.compute.internal:file:/org/bouncycastle/jcajce/provider/asymmetric/x509/X509CRLObject.class!home/ec2-user/data-migration-test/isg2x-tests.set/test.crypto.libraries/others/bcprov-ext-jdk18on-171.jar",
"type": "Host"
}
},
"analysis": {
"policy_pqc": {
"priority_score": 0,
"flag": [],
"logical_qbits_required": 0,
"description": "",
"severity_score": 0
},
"deduplication": {
"has_duplicate_file": true
},
"priority": {
"priority": {}
},
"policy": {
"severity": {},
"priority_score": 2,
"init": true,
"init_version": 30500,
"flag": [],
"cve": [],
"score_value": 0,
"severity_score": 0
}
},
"version": "3_5_0",
"crypto": {
"library": {
"name": "jca",
"version": ""
}
},
"object": {
"summary": "Library: jca-",
"uid": "f3193cfcb77a3490fe0a6d4e976e2b0c76b28c0874e15a96d69323f2864ddd6b",
"fingerprint": "4d74898d00e7ffaa1eefa69449e3d37d4d1196c8ce185f7f3d13d45e9e8ed37d",
"type": "Cryptographic Library",
"resolution": {
"resolved": false
}
}
}
}
]
}
}Algorithm
JSON
{
"took": 0,
"timed_out": false,
"_shards": {
"total": 4,
"successful": 4,
"skipped": 0,
"failed": 0
},
"hits": {
"total": {
"value": 2574,
"relation": "eq"
},
"max_score": 1,
"hits": [
{
"_index": "agilesec.qa-agilesec_com.v3.event-algorithm",
"_id": "b8b16d48bfd2f84442c8874ebc6ee3f32e766c3fd15b8822a47560c0a3987f13",
"_score": 1,
"_source": {
"@timestamp": "2026-04-01T01:42:35.553784815Z",
"first_found": "2026-03-31T22:07:09.93638712Z",
"observation": {
"file": {
"path": "prov/src/test/jdk1.3/org/bouncycastle/jce/provider/test/BCFKSStoreTest.java",
"extension": "java",
"size": 0,
"in_archive": false,
"name": "BCFKSStoreTest.java",
"type": "Source",
"directory": "prov/src/test/jdk1.3/org/bouncycastle/jce/provider/test"
},
"sensor": {
"eid": "69cc455759a0dbe3f8f7b630",
"name": "",
"type": "GIT Repository",
"msg_sequence": 3159,
"sid": "69cc455759a0dbe3f8f7b631"
},
"source": {
"snippet": """new SecretKeySpec(Hex.decode("000102030405060708090a0b0c0d0eff"), "HmacSHA224")""",
"uid": "7591599a1d0737f63362cec2660533e98fe2807a680aba07d03cecdea4974f57",
"location_short": "prov/src/test/jdk1.3/org/bouncycastle/jce/provider/test/BCFKSStoreTest.java",
"name": "https://github.com/tashiscool/bc-fips:master",
"start": {
"col": 36,
"offset": 16087,
"line": 441
},
"rule": "key-creation-spec",
"location": "https://github.com/tashiscool/bc-fips:master:prov/src/test/jdk1.3/org/bouncycastle/jce/provider/test/BCFKSStoreTest.java/",
"type": "Source Code Repository",
"repository": {
"name": "bc-fips",
"url": "https://github.com/tashiscool/bc-fips"
},
"branch": "master"
}
},
"analysis": {
"policy_pqc": {
"priority_score": 0,
"flag": [],
"logical_qbits_required": 0,
"description": "",
"severity_score": 0
},
"priority": {
"is_low_priority_location": true,
"priority": {}
},
"policy": {
"severity": {},
"priority_score": 1,
"init": true,
"init_version": 30500,
"flag": [],
"cve": [],
"score_value": 0,
"severity_score": 0
}
},
"version": "3_5_0",
"crypto": {
"algorithm": {
"library_language": "JAVA",
"function": "",
"name": "HMACSHA224",
"library_name": "STDLIB",
"type": "",
"fingerprint_sha256": "adac2ba463653615944e373868f9192ac42682572ee4804c6e2aa45e39c2646d"
}
},
"object": {
"summary": "Algorithm: HMACSHA224",
"uid": "b8b16d48bfd2f84442c8874ebc6ee3f32e766c3fd15b8822a47560c0a3987f13",
"fingerprint": "adac2ba463653615944e373868f9192ac42682572ee4804c6e2aa45e39c2646d",
"type": "Algorithm",
"resolution": {
"resolved": false
}
}
}
}
]
}
}Token
JSON
{
"took": 0,
"timed_out": false,
"_shards": {
"total": 4,
"successful": 4,
"skipped": 0,
"failed": 0
},
"hits": {
"total": {
"value": 2,
"relation": "eq"
},
"max_score": 1,
"hits": [
{
"_index": "agilesec.qa-agilesec_com.v3.event-token",
"_id": "980a1f2b19ac95ba5b144110a692a7f380fd19061be028be32473820cd02d966",
"_score": 1,
"_source": {
"@timestamp": "2026-04-01T01:42:34.845723336Z",
"first_found": "2026-03-31T22:14:22.960000767Z",
"observation": {
"file": {
"owner": "User",
"extension": "html",
"access": "2026-03-31T22:14:09Z",
"created": "1970-01-01T00:00:00Z",
"type": "Source",
"directory": "file:",
"hash_sha256": "7d9bb199fe3228c653d4c52a923e0e509ba2fa7d3ea428e99d3a0c9b64a8e25a",
"path": "Auto_gitlab_private_token1.html",
"size": 0,
"permissions": {
"owner": {
"rights": [
"read",
"write"
],
"name": "ec2-user",
"value": "1000"
},
"other": {
"rights": [
"read"
],
"name": "other"
},
"group": {
"rights": [
"read"
],
"name": "ec2-user",
"value": "1000"
}
},
"in_archive": false,
"name": "Auto_gitlab_private_token1.html",
"modified": "2026-01-09T07:28:51Z"
},
"sensor": {
"eid": "69cc4730d884c7a73fd67c15",
"name": "",
"type": "GitHub",
"msg_sequence": 5,
"sid": "69cc4730d884c7a73fd67c16"
},
"source": {
"uid": "0c1c066d497951fbb9d1ed5f6f6f7587b776c2aad80743e9f9de2b4c4a21a854",
"location_short": "Auto_gitlab_private_token1.html",
"name": "https://github.com/trinhdzung-test-org/automation-mix-data-org-private:6-findings",
"location": "https://github.com/trinhdzung-test-org/automation-mix-data-org-private:6-findings:Auto_gitlab_private_token1.html/",
"type": "Host",
"repository": {
"url": "https://github.com/trinhdzung-test-org/automation-mix-data-org-private"
},
"branch": "6-findings"
}
},
"analysis": {
"policy_pqc": {
"priority_score": 0,
"flag": [],
"logical_qbits_required": 0,
"description": "",
"severity_score": 0
},
"priority": {
"is_low_priority_location": true,
"priority": {}
},
"policy": {
"severity": {
"token_expired": 1
},
"priority_score": 1,
"init": true,
"init_version": 30500,
"flag": [
"token_expired"
],
"cve": [],
"score_value": 2,
"severity_score": 1
}
},
"version": "3_5_0",
"crypto": {
"token": {
"fingerprint_sha1": "9bed7abf72316bb027f91e4d5548113fc4cff4bc",
"payload": {
"sub": "user1",
"other": {
"upn": "duke",
"auth_time": 1583830037,
"groups": [
"staff",
"SignServer-users",
"release-managers",
"mailusers"
]
},
"iss": "my-auth-server",
"exp": "2020-03-10T09:03:57Z",
"iat": "2020-03-10T08:47:17Z",
"jti": "42"
},
"subtype": "Static Token",
"header": {
"kid": "jwt.key",
"typ": "JWT",
"alg": "RS256"
},
"type": "JWT",
"algorithm": "RS256",
"fingerprint_sha256": "5d7037fff2cec9c8f61c4f9072654439c671671e1a28bac06a4695f6fe0339e4"
}
},
"object": {
"summary": "JWT Token: duke-RS256",
"uid": "980a1f2b19ac95ba5b144110a692a7f380fd19061be028be32473820cd02d966",
"fingerprint": "5d7037fff2cec9c8f61c4f9072654439c671671e1a28bac06a4695f6fe0339e4",
"type": "Cryptographic Token",
"resolution": {
"resolved": false
}
}
}
}
]
}
}Protocol
JSON
{
"took": 877,
"timed_out": false,
"_shards": {
"total": 4,
"successful": 4,
"skipped": 0,
"failed": 0
},
"hits": {
"total": {
"value": 2,
"relation": "eq"
},
"max_score": 1,
"hits": [
{
"_index": "agilesec.kf-agilesec_com.v3.event-protocol",
"_id": "98d18c354b05695979df5af206b4a921541441ba4b754a0dad1be668ec2d60b5",
"_score": 1,
"_source": {
"version": "3_5_0",
"object": {
"summary": "Protocol: TLSv1.2",
"uid": "98d18c354b05695979df5af206b4a921541441ba4b754a0dad1be668ec2d60b5",
"fingerprint": "044f2d500a4bd8fb486d01d33418cd749797260a670c87b4923f895b05878ea2",
"type": "Cryptographic Protocol",
"resolution": {
"resolved": false
}
},
"observation": {
"sensor": {
"type": "Host Filesystem",
"name": "Acme Connector",
"sid": "acme-connector-v1",
"eid": "run-20260406-001",
"msg_sequence": 7,
"exec_type": "API"
},
"source": {
"type": "Host",
"name": "corp-server-01.example.com",
"port": 443,
"location": "corp-server-01.example.com:443",
"location_short": "network://:443",
"interface_ip": [
"10.0.0.1"
],
"interface_ip_type": "Private"
}
},
"crypto": {
"protocol": {
"name": "TLS",
"version": [
"TLSv1.2"
],
"ciphers": [
"TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256",
"TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384",
"TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256",
"TLS-RSA-WITH-AES-128-CBC-SHA",
"TLS-RSA-WITH-AES-256-CBC-SHA"
],
"kex_algorithms": [
"secp256r1"
],
"negotiated_protocol": ""
}
}
}
}
]
}
}DB
JSON
{
"took": 2,
"timed_out": false,
"_shards": {
"total": 4,
"successful": 4,
"skipped": 0,
"failed": 0
},
"hits": {
"total": {
"value": 5,
"relation": "eq"
},
"max_score": 1,
"hits": [
{
"_index": "agilesec.kf-agilesec_com.v3.event-db",
"_id": "14943a2354633144f3b32a5fcb378a109a8fa5081470223603ba809b90b0cc39",
"_score": 1,
"_source": {
"@timestamp": "2026-04-07T01:56:50Z",
"first_found": "2026-04-07T01:56:50Z",
"observation": {
"sensor": {
"eid": "69d46462523375b91218d0b0",
"name": "MSSQL Database",
"exec_type": "Platform",
"type": "MSSQL Database",
"msg_sequence": 2,
"sid": "69d4645e523375b91218d08c"
},
"source": {
"database_compatibility_level": 160,
"location_short": "tempdb",
"port": 1433,
"instance_version": "16.0.4225.2",
"ip": "172.184.193.156",
"name": "AGILESEC/qa-test-sql2022",
"location": "db://qa-test-sql2022.AGILESEC/tempdb",
"instance_edition": "Enterprise Edition: Core-based Licensing (64-bit)",
"recovery_model": "SIMPLE",
"type": "Database",
"user": "qasqltest-vm-03"
}
},
"analysis": {
"policy_pqc": {
"priority_score": 0,
"flag": [],
"logical_qbits_required": 0,
"description": "",
"severity_score": 0
},
"priority": {
"priority": {}
},
"policy": {
"severity": {},
"priority_score": 2,
"init": true,
"init_version": 30500,
"flag": [],
"cve": [],
"score_value": -2,
"severity_score": 0
}
},
"version": "3_5_0",
"object": {
"summary": "Encryption: AES-256 for tempdb",
"uid": "14943a2354633144f3b32a5fcb378a109a8fa5081470223603ba809b90b0cc39",
"subtype": "Data-at-Rest Encryption",
"fingerprint": "0000000000000000000000000000000000000000000000000000000000000000",
"type": "Encryption",
"resolution": {
"resolved": false
}
},
"crypto": {
"db": {
"encryption": {
"db_name": "tempdb",
"dek_created": "2026-03-27T07:10:59.457Z",
"method": "TDE",
"protector_type": "ASYMMETRIC KEY",
"protector_fingerprint": "",
"algorithm": "AES-256",
"status": "ENCRYPTED"
}
}
}
}
}
]
}
}