Query Details
Device Detect Invalid Certificates
Query
//Detect invalid certificates //Data connector required for this query - M365 Defender - Device* tables DeviceEvents | where ActionType == "AntivirusReport" | extend ParsedAdditionalFields = parse_json(AdditionalFields) | evaluate bag_unpack(ParsedAdditionalFields) | where Signer startswith "INVALID"
Explanation
This query is used to detect invalid certificates. It requires a data connector called M365 Defender - Device* tables. It filters the DeviceEvents table for entries with ActionType "AntivirusReport". It then parses the AdditionalFields column as JSON and unpacks the resulting bag. Finally, it filters for entries where the Signer starts with "INVALID".
Details
Matt Zorich
Released: October 10, 2023
Tables
DeviceEvents
Keywords
DeviceEvents,ActionType,AntivirusReport,ParsedAdditionalFields,Signer,INVALID
Operators
| whereextendparse_jsonevaluatebag_unpackstartswith