Palo Alto XDR & Cortex XSIAM Integration
Deploy TYCHON Quantum Readiness via XDR agents with Cortex XSIAM SIEM integration
Deploy TYCHON Quantum Readiness via XDR agents with Cortex XSIAM SIEM integration
TYCHON Quantum Readiness integrates seamlessly with Palo Alto Cortex XDR for deployment and execution, streaming cryptographic asset data directly to Cortex XSIAM for advanced threat detection and compliance monitoring.
Remote execution via XDR Live Terminal and script management
Native HTTP Event Collector integration for real-time data streaming
Advanced XQL queries for crypto security analysis
Execute TYCHON Quantum Readiness directly on endpoints via XDR Live Terminal for immediate cryptographic assessment:
# XDR Live Terminal - Windows Execution
# Execute comprehensive crypto scan with XSIAM streaming
# Navigate to TYCHON installation directory
cd "C:\Program Files\TYCHON"
# Execute with XSIAM integration
.\certscanner-windows-amd64.exe -mode local `
-scanfilesystem -scanmemory -scanconnected `
-outputformat flatndjson `
-posttoxsiam `
-xsiamurl "https://api-.xdr.us.paloaltonetworks.com" `
-xsiamtoken "YOUR_COLLECTOR_TOKEN" `
-tags "xdr-deployment,endpoint-scan,compliance"
# Alternative: Stream to file for XDR collection
.\certscanner-windows-amd64.exe -mode local `
-scanfilesystem -scanmemory -scanconnected `
-outputformat flatndjson `
-output "C:\ProgramData\TYCHON\crypto-scan-results.ndjson" # XDR Live Terminal - Linux Execution
# Execute comprehensive crypto scan with XSIAM streaming
# Navigate to TYCHON installation directory
cd /opt/tychon
# Execute with XSIAM integration
./certscanner-linux-x64 -mode local \
-scanfilesystem -scanmemory -scanconnected \
-outputformat flatndjson \
-posttoxsiam \
-xsiamurl "https://api-.xdr.us.paloaltonetworks.com" \
-xsiamtoken "$XSIAM_TOKEN" \
-tags "xdr-deployment,endpoint-scan,linux"
# Alternative: Stream to file for XDR collection
./certscanner-linux-x64 -mode local \
-scanfilesystem -scanmemory -scanconnected \
-outputformat flatndjson \
-output "/var/log/tychon/crypto-scan-results.ndjson" # XDR Live Terminal - macOS Execution
# Execute comprehensive crypto scan with XSIAM streaming
# Navigate to TYCHON installation directory
cd /opt/tychon
# Intel Macs
./certscanner-darwin-amd64 -mode local \
-scanfilesystem -scanconnected \
-outputformat flatndjson \
-posttoxsiam \
-xsiamurl "https://api-.xdr.us.paloaltonetworks.com" \
-xsiamtoken "$XSIAM_TOKEN" \
-tags "xdr-deployment,endpoint-scan,macos-intel"
# Apple Silicon Macs
./certscanner-darwin-arm64 -mode local \
-scanfilesystem -scanconnected \
-outputformat flatndjson \
-posttoxsiam \
-xsiamurl "https://api-.xdr.us.paloaltonetworks.com" \
-xsiamtoken "$XSIAM_TOKEN" \
-tags "xdr-deployment,endpoint-scan,macos-arm" Deploy TYCHON Quantum Readiness as a managed script for automated execution across your endpoint fleet:
# TYCHON Quantum Readiness - XDR Managed Script
# Deploys and executes crypto scanning with Cortex XSIAM integration
param(
[string]$XSIAMUrl = $env:XSIAM_URL,
[string]$XSIAMToken = $env:XSIAM_TOKEN,
[string]$ScanMode = "comprehensive"
)
$ErrorActionPreference = "Stop"
$TychonPath = "C:\Program Files\TYCHON"
$BinaryPath = "$TychonPath\certscanner-windows-amd64.exe"
$LogPath = "C:\ProgramData\TYCHON\Logs"
# Ensure log directory exists
New-Item -ItemType Directory -Path $LogPath -Force | Out-Null
function Write-Log {
param([string]$Message)
$Timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
$LogEntry = "[$Timestamp] $Message"
Write-Host $LogEntry
Add-Content -Path "$LogPath\xdr-execution.log" -Value $LogEntry
}
try {
Write-Log "Starting TYCHON Quantum Readiness execution via XDR..."
Write-Log "Endpoint: $env:COMPUTERNAME"
Write-Log "Scan Mode: $ScanMode"
# Verify TYCHON binary exists
if (-not (Test-Path $BinaryPath)) {
Write-Log "ERROR: TYCHON binary not found at $BinaryPath"
Write-Log "Please deploy TYCHON Quantum Readiness using XDR file distribution"
exit 1
}
# Verify XSIAM connectivity
if ([string]::IsNullOrEmpty($XSIAMUrl) -or [string]::IsNullOrEmpty($XSIAMToken)) {
Write-Log "WARNING: XSIAM credentials not provided, will output to file"
$UseXSIAM = $false
} else {
Write-Log "XSIAM integration enabled: $XSIAMUrl"
$UseXSIAM = $true
}
# Build scan arguments based on mode
$ScanArgs = @("-mode", "local", "-outputformat", "flatndjson")
switch ($ScanMode) {
"quick" {
$ScanArgs += @("-scanconnected", "-tags", "xdr,quick-scan,$env:COMPUTERNAME")
}
"comprehensive" {
$ScanArgs += @(
"-scanfilesystem", "-scanmemory", "-scanconnected",
"-scanoutlookarchives", "-detect-vpn-clients",
"-tags", "xdr,comprehensive,$env:COMPUTERNAME"
)
}
"compliance" {
$ScanArgs += @(
"-scanfilesystem", "-scanconnected",
"-tags", "xdr,compliance,$env:COMPUTERNAME"
)
}
}
# Add XSIAM integration if available
if ($UseXSIAM) {
$ScanArgs += @("-posttoxsiam", "-xsiamurl", $XSIAMUrl, "-xsiamtoken", $XSIAMToken)
} else {
$OutputFile = "$LogPath\crypto-results-$(Get-Date -Format 'yyyyMMdd-HHmmss').ndjson"
$ScanArgs += @("-output", $OutputFile)
}
Write-Log "Executing crypto scan..."
$StartTime = Get-Date
& $BinaryPath $ScanArgs
$Duration = (Get-Date) - $StartTime
if ($LASTEXITCODE -eq 0) {
Write-Log "SUCCESS: Crypto scan completed in $($Duration.TotalSeconds) seconds"
if ($UseXSIAM) {
Write-Log "Results streamed to Cortex XSIAM"
} else {
Write-Log "Results saved to: $OutputFile"
}
exit 0
} else {
Write-Log "ERROR: Scan failed with exit code $LASTEXITCODE"
exit $LASTEXITCODE
}
} catch {
Write-Log "ERROR: $($_.Exception.Message)"
Write-Log "Stack Trace: $($_.ScriptStackTrace)"
exit 1
}
tychon-xdr-scan.ps1XSIAMUrl: Your Cortex XSIAM API endpointXSIAMToken: HTTP Event Collector tokenScanMode: quick, comprehensive, or complianceDeploy TYCHON Quantum Readiness binaries and configure automated execution via XDR Agent Configuration Profiles:
{
"profile_name": "TYCHON_Crypto_Monitoring",
"description": "Automated cryptographic asset discovery and monitoring",
"os_type": ["WINDOWS", "LINUX", "MAC"],
"deployment": {
"binary_distribution": {
"source": "https://your-cdn.com/tychon-binaries/",
"windows": {
"path": "C:\\Program Files\\TYCHON\\certscanner-windows-amd64.exe",
"hash_sha256": "YOUR_BINARY_HASH"
},
"linux": {
"path": "/opt/tychon/certscanner-linux-x64",
"hash_sha256": "YOUR_BINARY_HASH"
},
"macos": {
"intel_path": "/opt/tychon/certscanner-darwin-amd64",
"arm_path": "/opt/tychon/certscanner-darwin-arm64",
"hash_sha256": "YOUR_BINARY_HASH"
}
},
"scheduled_execution": {
"enabled": true,
"schedule": "0 */6 * * *", // Every 6 hours
"command_windows": "C:\\Program Files\\TYCHON\\certscanner-windows-amd64.exe -mode local -scanfilesystem -scanmemory -posttoxsiam -xsiamurl {{XSIAM_URL}} -xsiamtoken {{XSIAM_TOKEN}}",
"command_linux": "/opt/tychon/certscanner-linux-x64 -mode local -scanfilesystem -scanmemory -posttoxsiam -xsiamurl {{XSIAM_URL}} -xsiamtoken {{XSIAM_TOKEN}}",
"command_macos": "/opt/tychon/certscanner-darwin-{{ARCH}} -mode local -scanfilesystem -posttoxsiam -xsiamurl {{XSIAM_URL}} -xsiamtoken {{XSIAM_TOKEN}}"
}
},
"xsiam_integration": {
"enabled": true,
"api_endpoint": "https://api-{{TENANT}}.xdr.us.paloaltonetworks.com/logs/v1/event",
"collector_token": "{{XSIAM_COLLECTOR_TOKEN}}",
"dataset": "tychon_crypto_assets"
}
}{
"collector_name": "tychon_crypto_collector",
"dataset_name": "tychon_crypto_assets",
"endpoint_url": "https://api-.xdr.us.paloaltonetworks.com/logs/v1/event",
"authentication": {
"type": "bearer_token",
"token": "YOUR_COLLECTOR_TOKEN_HERE"
},
"data_format": {
"type": "ndjson",
"timestamp_field": "@timestamp",
"timestamp_format": "ISO8601"
},
"field_mappings": {
"observer.hostname": "endpoint_name",
"host.ip": "endpoint_ip",
"tls.cipher": "cipher_suite",
"tls.certificate.subject": "certificate_subject",
"pqc.vulnerable": "pqc_vulnerable"
}
} TYCHON Quantum Readiness provides native Cortex XSIAM integration through command-line switches:
| Switch | Description | Example |
|---|---|---|
| -posttoxsiam | Enable posting scan results to Cortex XSIAM | -posttoxsiam |
| -xsiamurl | XSIAM API endpoint URL (required) | -xsiamurl "https://api-tenant.xdr.us.paloaltonetworks.com" |
| -xsiamtoken | HTTP Event Collector authentication token | -xsiamtoken "YOUR_TOKEN" |
| -xsiamdataset | XSIAM dataset name (optional, default: tychon) | -xsiamdataset "crypto_assets" |
| -insecure | Skip SSL certificate verification | -insecure |
Verify connectivity and data ingestion:
# Test XSIAM connectivity and data ingestion (Windows)
.\certscanner-windows-amd64.exe -host example.com `
-cipherscan `
-posttoxsiam `
-xsiamurl "https://api-.xdr.us.paloaltonetworks.com" `
-xsiamtoken "YOUR_COLLECTOR_TOKEN" `
-xsiamdataset "tychon_crypto_test" `
-tags "test,xsiam-validation"
# Verify in XSIAM XQL Query
# Navigate to XSIAM → Investigation → XQL Search
# Run: dataset = tychon_crypto_test | fields * # Test XSIAM connectivity and data ingestion (Linux)
./certscanner-linux-x64 -host example.com \
-cipherscan \
-posttoxsiam \
-xsiamurl "https://api-.xdr.us.paloaltonetworks.com" \
-xsiamtoken "$XSIAM_TOKEN" \
-xsiamdataset "tychon_crypto_test" \
-tags "test,xsiam-validation"
# Verify in XSIAM XQL Query
# Navigate to XSIAM → Investigation → XQL Search
# Run: dataset = tychon_crypto_test | fields * # Test XSIAM connectivity and data ingestion (macOS Intel)
./certscanner-darwin-amd64 -host example.com \
-cipherscan \
-posttoxsiam \
-xsiamurl "https://api-.xdr.us.paloaltonetworks.com" \
-xsiamtoken "$XSIAM_TOKEN" \
-xsiamdataset "tychon_crypto_test" \
-tags "test,xsiam-validation"
# Test XSIAM connectivity and data ingestion (macOS ARM)
./certscanner-darwin-arm64 -host example.com \
-cipherscan \
-posttoxsiam \
-xsiamurl "https://api-.xdr.us.paloaltonetworks.com" \
-xsiamtoken "$XSIAM_TOKEN" \
-xsiamdataset "tychon_crypto_test" \
-tags "test,xsiam-validation" Use these XQL queries in Cortex XSIAM to analyze cryptographic assets discovered by TYCHON Quantum Readiness:
// Find all post-quantum vulnerable cryptographic assets
dataset = tychon_crypto_assets
| filter pqc.vulnerable = true
| fields @timestamp, observer.hostname, asset_type, tls.cipher, tls.certificate.subject, pqc.reason
| sort desc @timestamp// Aggregate PQC vulnerabilities by endpoint
dataset = tychon_crypto_assets
| filter pqc.vulnerable = true
| comp count() as vulnerability_count by observer.hostname, host.ip
| sort desc vulnerability_count// Analyze quantum readiness scores across endpoints
dataset = tychon_crypto_assets
| filter quantum_readiness.assessment_enabled = true
| fields observer.hostname,
quantum_readiness.total_score,
quantum_readiness.percentage,
quantum_readiness.system_classification
| sort asc quantum_readiness.total_score// Find certificates expiring in the next 90 days
dataset = tychon_crypto_assets
| filter asset_type = "certificate"
| filter tls.certificate.not_after != null
| alter days_until_expiry = timestamp_diff(tls.certificate.not_after, current_time(), "DAY")
| filter days_until_expiry >= 0 and days_until_expiry <= 90
| fields observer.hostname,
tls.certificate.subject,
tls.certificate.not_after,
days_until_expiry
| sort asc days_until_expiry// Identify self-signed certificates across infrastructure
dataset = tychon_crypto_assets
| filter asset_type = "certificate"
| filter tls.certificate.is_self_signed = true
| fields observer.hostname,
server.address,
tls.certificate.subject,
tls.certificate.issuer,
tls.certificate.not_after
| comp count() as self_signed_count by observer.hostname// Find certificates using weak key algorithms
dataset = tychon_crypto_assets
| filter asset_type = "certificate"
| filter crypto.key_algorithm in ("RSA-1024", "DSA", "EC-p192")
or crypto.key_size < 2048
| fields observer.hostname,
tls.certificate.subject,
crypto.key_algorithm,
crypto.key_size,
tls.certificate.not_after
| sort asc crypto.key_size// Detect weak or deprecated cipher suites
dataset = tychon_crypto_assets
| filter asset_type = "cipher"
| filter tls.cipher ~= ".*RC4.*|.*DES.*|.*MD5.*|.*NULL.*|.*EXPORT.*"
or tls.version in ("TLS 1.0", "TLS 1.1", "SSL")
| fields observer.hostname,
server.address,
tls.cipher,
tls.version,
pqc.vulnerable
| comp count() as weak_cipher_count by tls.cipher
| sort desc weak_cipher_count// Analyze TLS version distribution across infrastructure
dataset = tychon_crypto_assets
| filter asset_type = "cipher"
| comp count() as connection_count by tls.version, pqc.vulnerable
| sort desc connection_count// Analyze keystores with vulnerable certificates
dataset = tychon_crypto_assets
| filter asset_type = "keystore"
| filter keystore.stats.pqc_vulnerable_certificates > 0
| fields observer.hostname,
keystore.type,
keystore.path,
keystore.cert_count,
keystore.stats.vulnerable_certificates,
keystore.stats.pqc_vulnerable_certificates
| sort desc keystore.stats.pqc_vulnerable_certificates// Find keystores that couldn't be accessed
dataset = tychon_crypto_assets
| filter asset_type = "keystore"
| filter keystore.accessible = false
| fields observer.hostname,
keystore.type,
keystore.path,
keystore.error_message,
keystore.requires_auth
| comp count() as inaccessible_count by keystore.type// Assess VPN client quantum readiness
dataset = tychon_crypto_assets
| filter asset_type = "vpn_client"
| fields observer.hostname,
vpn_client.name,
vpn_client.version,
vpn_client.vendor,
pqc.ready,
pqc.supported_algorithms
| comp count() as client_count by vpn_client.name, pqc.ready// Analyze IPSec tunnel configurations for PQC vulnerabilities
dataset = tychon_crypto_assets
| filter asset_type = "ipsec_tunnel"
| fields observer.hostname,
ipsec.tunnel_name,
ipsec.encryption_algorithm,
ipsec.integrity_algorithm,
ipsec.dh_group,
pqc.vulnerable
| filter pqc.vulnerable = trueCreate XDR automation rules to trigger TYCHON scans based on security events:
{
"rule_name": "TYCHON_Scan_On_Certificate_Installation",
"description": "Trigger crypto scan when new certificates are installed",
"trigger": {
"event_type": "CERTIFICATE_INSTALLED",
"conditions": [
{
"field": "event.category",
"operator": "in",
"values": ["certificate_installation", "certificate_import"]
}
]
},
"actions": [
{
"type": "run_script",
"script_name": "tychon-xdr-scan.ps1",
"parameters": {
"ScanMode": "quick",
"Target": "{{event.endpoint.hostname}}"
},
"timeout": 300
},
{
"type": "create_incident",
"severity": "info",
"title": "Crypto Asset Discovery Triggered on {{event.endpoint.hostname}}",
"description": "TYCHON scan initiated due to certificate installation activity"
}
]
}Create correlation rules in XSIAM to detect security issues from TYCHON data:
# XSIAM Correlation Rule: PQC Vulnerability in Production
rule_name: "Critical_PQC_Vulnerability_Production"
severity: HIGH
description: "Detects PQC-vulnerable crypto assets in production environments"
query: |
dataset = tychon_crypto_assets
| filter pqc.vulnerable = true
| filter tags contains "production"
| filter asset_type in ("cipher", "certificate", "keystore")
aggregation:
type: threshold
threshold: 1
time_window: 1h
actions:
- type: create_alert
title: "PQC Vulnerability Detected in Production"
description: "{{count}} PQC-vulnerable assets discovered on {{observer.hostname}}"
priority: high
- type: send_email
recipients: ["security-team@company.com"]
subject: "URGENT: Post-Quantum Vulnerable Assets Detected"
- type: trigger_playbook
playbook: "crypto_vulnerability_remediation"# XSIAM Correlation Rule: Certificate Expiration Warning
rule_name: "Certificate_Expiring_Soon"
severity: MEDIUM
description: "Alerts when certificates are expiring within 30 days"
query: |
dataset = tychon_crypto_assets
| filter asset_type = "certificate"
| filter tls.certificate.not_after != null
| alter days_until_expiry = timestamp_diff(tls.certificate.not_after, current_time(), "DAY")
| filter days_until_expiry >= 0 and days_until_expiry <= 30
aggregation:
type: group_by
fields: ["observer.hostname", "tls.certificate.subject"]
time_window: 24h
actions:
- type: create_alert
title: "Certificate Expiring on {{observer.hostname}}"
description: "Certificate {{tls.certificate.subject}} expires in {{days_until_expiry}} days"
priority: medium
- type: create_ticket
system: "ServiceNow"
category: "Certificate Management"
assigned_to: "platform-team"Configure scheduled TYCHON scans via XDR Job Scheduler:
{
"job_name": "TYCHON_Weekly_Comprehensive_Scan",
"description": "Weekly comprehensive crypto asset discovery across all endpoints",
"schedule": {
"type": "recurring",
"frequency": "weekly",
"day_of_week": "sunday",
"time": "02:00",
"timezone": "UTC"
},
"target": {
"endpoint_groups": [
"Production_Servers",
"Corporate_Laptops",
"Database_Servers",
"Web_Servers"
],
"exclusions": [
"Development_Workstations"
]
},
"execution": {
"script": "tychon-xdr-scan.ps1",
"parameters": {
"ScanMode": "comprehensive",
"XSIAMUrl": "https://api-{{TENANT}}.xdr.us.paloaltonetworks.com",
"XSIAMToken": "{{VAULT:XSIAM_TOKEN}}"
},
"timeout": 1800,
"retry_on_failure": true,
"max_retries": 2
},
"notifications": {
"on_completion": ["security-team@company.com"],
"on_failure": ["security-ops@company.com", "platform-team@company.com"]
}
}High-level overview of cryptographic security posture:
# XSIAM Dashboard: Executive Crypto Security Overview
dashboard_name: "Crypto Security Executive Summary"
refresh_interval: 5m
widgets:
- name: "Total Crypto Assets Discovered"
type: "metric"
query: |
dataset = tychon_crypto_assets
| comp count() as total_assets
- name: "PQC Vulnerability Rate"
type: "gauge"
query: |
dataset = tychon_crypto_assets
| comp count_distinct_if(pqc.vulnerable = true) as vulnerable,
count_distinct() as total
| alter vulnerability_rate = (vulnerable / total) * 100
thresholds:
critical: 50
warning: 25
good: 10
- name: "Assets by Type"
type: "pie_chart"
query: |
dataset = tychon_crypto_assets
| comp count() as asset_count by asset_type
| sort desc asset_count
- name: "Quantum Readiness Score Distribution"
type: "histogram"
query: |
dataset = tychon_crypto_assets
| filter quantum_readiness.assessment_enabled = true
| comp count() as endpoint_count by quantum_readiness.system_classification
- name: "Certificates Expiring Soon"
type: "table"
query: |
dataset = tychon_crypto_assets
| filter asset_type = "certificate"
| alter days_until_expiry = timestamp_diff(tls.certificate.not_after, current_time(), "DAY")
| filter days_until_expiry >= 0 and days_until_expiry <= 30
| fields observer.hostname, tls.certificate.subject, days_until_expiry
| sort asc days_until_expiry
| limit 10
- name: "Top Vulnerable Endpoints"
type: "bar_chart"
query: |
dataset = tychon_crypto_assets
| filter pqc.vulnerable = true
| comp count() as vulnerability_count by observer.hostname
| sort desc vulnerability_count
| limit 10Detailed monitoring for security operations teams:
# XSIAM Dashboard: Crypto Security Operations
dashboard_name: "Crypto Security Operations Center"
refresh_interval: 2m
widgets:
- name: "Real-Time Scan Activity"
type: "timeline"
query: |
dataset = tychon_crypto_assets
| filter @timestamp > current_time() - interval 1 hour
| comp count() as scan_events by bin(@timestamp, 5m), observer.hostname
- name: "Weak Cipher Detections"
type: "alert_list"
query: |
dataset = tychon_crypto_assets
| filter asset_type = "cipher"
| filter tls.cipher ~= ".*RC4.*|.*DES.*|.*MD5.*"
| fields @timestamp, observer.hostname, server.address, tls.cipher
| sort desc @timestamp
| limit 20
- name: "Keystore Vulnerability Trends"
type: "line_chart"
query: |
dataset = tychon_crypto_assets
| filter asset_type = "keystore"
| comp sum(keystore.stats.pqc_vulnerable_certificates) as vulnerable_certs
by bin(@timestamp, 1h)
| sort asc @timestamp
- name: "Self-Signed Certificate Inventory"
type: "table"
query: |
dataset = tychon_crypto_assets
| filter tls.certificate.is_self_signed = true
| fields observer.hostname,
server.address,
tls.certificate.subject,
tls.certificate.not_after
| sort asc tls.certificate.not_after
- name: "VPN Client PQC Status"
type: "stacked_bar"
query: |
dataset = tychon_crypto_assets
| filter asset_type = "vpn_client"
| comp count() as client_count by vpn_client.name, pqc.ready
| sort desc client_count
- name: "Geographic Asset Distribution"
type: "map"
query: |
dataset = tychon_crypto_assets
| comp count() as asset_count by host.geo.country_name
| sort desc asset_count