Query Details
Identifying Methods Used To Establish Secure Communication Over Insecure Channels
Query
**Identifying methods used to establish secure communication over insecure channels** **Description**: In this case, I have been researching about the 'curve' value into AdditionalFields field of DeviceNetworkEvents table which I identified into iana.org as two groups 'Elliptic curve' and 'Diffie-Hellman groups'. These 2 kinds of encryption groups work to secure communication over an insecure channel, are classified by Internet Assigned Numbers Authority (IANA), as if are 'recommended' and the Datagram Transport Layer Security status. In addition, to take into account, the mentioned site mention: "If an item is not marked as 'Recommended', it does not necessarily mean that it is flawed; rather, it indicates that the item either has not been through the IETF consensus process, has limited applicability, or is intended only for specific use cases" Therefore, this KQL Query is oriented to identify if the current encryption to secure your communications is enough or if due to the level of sensitive of your information, would need to be reviewed. ``` let Courve_Source = externaldata(Value:int,Description:string,DTLSOK:string,Recommended:string,Reference:string) [@"https://www.iana.org/assignments/tls-parameters/tls-parameters-8.csv"] with (format="csv"); DeviceNetworkEvents | extend curve = parse_json(AdditionalFields).curve | extend curve = tostring(curve) | extend server_name = parse_json(AdditionalFields).server_name | extend server_name = tostring(server_name) | extend RemoteIPCountry = geo_info_from_ip_address(RemoteIP).country | extend RemoteIPCountry = tostring(RemoteIPCountry) | join kind=inner (Courve_Source) on $left.curve == $right.Description // listing non-recommended curve versions or communications where the Datagram Transport Layer Security (DTLS) is not OK | where DTLSOK has "N" or Recommended has "N" // adding DeviceInfo table to show Device OS info | lookup kind=inner ( DeviceInfo) on $left.DeviceName == $right.DeviceName | summarize Totalconnections=count() by RemoteIP , RemoteIPCountry, OSDistribution, OSPlatform,OSVersion, ClientVersion, OSBuild, OSArchitecture,DeviceName, LocalIP,ActionType, RemotePort, Protocol, server_name,curve,DTLSOK, Recommended | order by Totalconnections ```
Explanation
Sure, here's a simplified summary of the query:
Purpose: The query aims to identify if the current encryption methods used for securing communications over insecure channels are adequate. Specifically, it checks if the encryption methods are recommended by the Internet Assigned Numbers Authority (IANA) and if they are suitable for Datagram Transport Layer Security (DTLS).
Steps:
- Load IANA Data: It first loads a CSV file from IANA that lists different encryption methods (curves) and their recommendations.
- Extract Data from DeviceNetworkEvents: It extracts the 'curve' value and other relevant fields (like server name and remote IP country) from the
DeviceNetworkEventstable. - Join Data: It joins the extracted data with the IANA data to match the curves used in network events with their descriptions and recommendations.
- Filter Non-Recommendations: It filters out the network events where the encryption method (curve) is either not recommended or not suitable for DTLS.
- Add Device Info: It adds information from the
DeviceInfotable to provide more context about the devices involved in these network events. - Summarize and Order: Finally, it summarizes the data by counting the total connections for each combination of relevant fields and orders the results by the total number of connections.
Outcome: The result will show you a list of devices and their network connections that are using non-recommended encryption methods or methods not suitable for DTLS, along with detailed information about the devices and connections. This helps in assessing whether the current encryption methods are sufficient or need to be reviewed due to the sensitivity of the information being communicated.
Details
Sergio Albea
Released: September 1, 2024
Tables
DeviceNetworkEventsDeviceInfo
Keywords
DeviceNetworkEventsDeviceInfo
Operators
`let``externaldata``with``extend``parse_json``tostring``geo_info_from_ip_address``join``on``where``has``lookup``summarize``by``order by`