Query Details
Unusual Software Certificate Detection
Query
//This query looks for software certificates with low prevalence
//Helps identify potentially unapproved applications in the organization
DeviceFileCertificateInfo
| join DeviceFileEvents on SHA1
| summarize count() by Signer //FileName,SHA1,Issuer,FileOriginUrl
| where Signer !contains "Google "
| where not(Signer has_any("Intel","fortinet",".net","citrix","microsoft","HP Inc.","adobe","cisco","Avaya Inc.","Zoom Video Communications, Inc.","zscaler","oracle","Advanced Micro Devices Inc.","Lenovo","Hewlett-Packard Company","RingCentral","Symantec","Mozilla","Dell Technologies Inc."))
| order by count_ Explanation
This query is designed to identify software certificates that are not commonly used within an organization, which could help in spotting potentially unapproved or suspicious applications. Here's a breakdown of what the query does:
-
Data Source: It starts by accessing information about software certificates (
DeviceFileCertificateInfo) and file events (DeviceFileEvents). -
Joining Data: It combines these two datasets based on a common identifier, the SHA1 hash, which uniquely identifies files.
-
Counting Occurrences: The query counts how many times each software certificate signer appears in the data.
-
Filtering Out Common Signers: It excludes certificates signed by well-known and commonly approved companies (like Google, Microsoft, Adobe, etc.) to focus on less common signers.
-
Sorting Results: Finally, it orders the results by the count of occurrences, likely to highlight those with the lowest prevalence first.
In summary, this query helps identify software certificates from less common or potentially unauthorized sources by filtering out those from widely recognized and trusted companies.
Details
Jay Kerai
Released: November 10, 2024
Tables
Keywords
Operators