Using Microsoft Sentinel to find expiring X.509 certificates
One of the things that scarlet is really good at, is finding X.509 certificates within your attack surface. Even when they’re hidden away within a complex virtual host environment, or behind less common protocols, like DTLS and QUIC. And whenever scarlet bumps into an X.509 certificate, we of course forward an event that contains all the details to any destinations you choose. Such as Microsoft Sentinel.
So once you have the events in your SIEM, what next?
For sending events to the various SIEMs, scarlet uses the Elastic Common Schema (ECS) format. That’s because it is supported natively by many of the plugins and scripts, which makes it much easier for you to integrate scarlet with your existing workflow. So, you never know: you may have already enabled a plugin that spots and alerts on expiring certificates.
And if you don’t already have a plugin installed that alerts on certificates?
No need to worry: Microsoft Sentinel also makes it really easy to create a custom rule that will do the same thing. Simply open a log query panel, and paste in the following (which should find all the certificates that were spotted by scarlet, which haven’t yet been renewed):
let searchPeriod = 30d;
let notAfterWarn = 7d;
scarlet_CL
| where TimeGenerated > ago(searchPeriod)
and tls_server_x509_not_after_t != ""
| summarize max(tls_server_x509_not_after_t)
by
destination_ip_s,
destination_port_d,
tls_server_x509_subject_common_name_s,
tls_server_x509_alternative_names_s
| where max_tls_server_x509_not_after_t <= now() + notAfterWarn
What next?
Our goal is to make scarlet the first choice for a high-value, low-effort way to immediately improve your security. No more forgotten servers!™
But don’t take our word for it, why not just give it a try? There’s a free, unrestricted trial available, and you only need an email address to register. You could literally be up and running, and seeing the value in ten minutes.