Self Signed Certificates

# Identify self-signed certificates in EASM ## Description The following query will identify and present Assets (Domain/Host) in External Attack Surface Management that are associated with self-signed certificates. ### References - https://securitytrails.com/blog/dangers-of-using-self-signed-certificates ### Microsoft Sentinel ``` EasmRisk_CL | where MetricDisplayName_s == "ASI: Self Signed Certificates" | extend AssetType_Domain = tostring(parse_json(AssetDiscoveryAuditTrail_s)[0].AssetType) | extend AssetType_Host = tostring(parse_json(AssetDiscoveryAuditTrail_s)[1].AssetType) | project AssetType_Domain, AssetType_Host, WorkspaceName_s ``` ### Versioning | Version | Date | Comments | | ------------- |---------------| ---------------------------------------| | 1.0 | 06/10/2024 | Initial publish |

Explanation

This query is designed to find and display assets, specifically domains and hosts, that are linked to self-signed certificates within the context of External Attack Surface Management (EASM). Here's a simplified breakdown of what the query does:

Data Source: It starts by looking at data from the EasmRisk_CL table.
Filter: It filters the data to only include entries where the MetricDisplayName_s field indicates "ASI: Self Signed Certificates". This means it's specifically looking for records related to self-signed certificates.
Extract Information: It extracts the type of asset (either domain or host) from a field called AssetDiscoveryAuditTrail_s. This field is in JSON format, and the query parses it to get the asset types.
Display Results: Finally, it displays the asset types (both domain and host) along with the workspace name.

The purpose of this query is to help identify potential security risks associated with self-signed certificates, which can be problematic as they are not verified by a trusted certificate authority.

KQL Search

Self Signed Certificates

Query

Explanation

Details

Actions