Identify self-signed certificates in EASM
Self Signed Certificates
Query
EasmRisk_CL
| where MetricDisplayName_s == "ASI: Self Signed Certificates"
| extend AssetType_Domain = tostring(parse_json(AssetDiscoveryAuditTrail_s)[0].AssetType)
| extend AssetType_Host = tostring(parse_json(AssetDiscoveryAuditTrail_s)[1].AssetType)
| project AssetType_Domain, AssetType_Host, WorkspaceName_sAbout this query
Identify self-signed certificates in EASM
Description
The following query will identify and present Assets (Domain/Host) in External Attack Surface Management that are associated with self-signed certificates.
References
Microsoft Sentinel
Versioning
| Version | Date | Comments |
|---|---|---|
| 1.0 | 06/10/2024 | Initial publish |
Explanation
This query is designed to find and display assets, specifically domains and hosts, that are linked to self-signed certificates within the context of External Attack Surface Management (EASM). Here's a simplified breakdown of what the query does:
- Data Source: It starts by looking at data from the
EasmRisk_CLtable. - Filter: It filters the data to only include entries where the
MetricDisplayName_sfield indicates "ASI: Self Signed Certificates". This means it's specifically looking for records related to self-signed certificates. - Extract Information: It extracts the type of asset (either domain or host) from a field called
AssetDiscoveryAuditTrail_s. This field is in JSON format, and the query parses it to get the asset types. - Display Results: Finally, it displays the asset types (both domain and host) along with the workspace name.
The purpose of this query is to help identify potential security risks associated with self-signed certificates, which can be problematic as they are not verified by a trusted certificate authority.
Details

Michalis Michalos
Released: October 6, 2024
Tables
EasmRisk_CL
Keywords
AssetsCertificatesDomainHostWorkspace
Operators
EasmRisk_CLwhere==extendtostring()parse_json()[ ]project