forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
get_certificate_logs_for_a_domain.yml
34 lines (34 loc) · 1.54 KB
/
get_certificate_logs_for_a_domain.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
name: Get Certificate logs for a domain
id: bc91a8cf-35e7-4bb2-2240-e756cc06fd73
version: 2
date: '2019-04-29'
author: Bhavin Patel, Splunk
type: Investigation
datamodel: []
description: This search queries the Certificates datamodel and give you all the information
for a specific domain. Please note that the certificates issued by "Let's Encrypt"
are widely used by attackers.
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
as lastTime FROM datamodel=Certificates.All_Certificates where All_Certificates.SSL.ssl_subject_common_name=*$domain$ by
All_Certificates.dest All_Certificates.src All_Certificates.SSL.ssl_issuer_common_name
All_Certificates.SSL.ssl_subject_common_name All_Certificates.SSL.ssl_hash | `drop_dm_object_name(All_Certificates)`
| `drop_dm_object_name(SSL)` | rename ssl_subject_common_name as domain | `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`'
how_to_implement: You must be ingesting your certificates or SSL logs from your network
traffic into your Certificates datamodel. Please note the wildcard(*) before domain
in the search syntax, we use to match for all domain and subdomain combinations
known_false_positives: ''
references: []
tags:
analytic_story:
- Common Phishing Frameworks
product:
- Splunk Phantom
required_fields:
- _time
- All_Certificates.SSL.ssl_subject_common_name
- All_Certificates.dest
- All_Certificates.src
- All_Certificates.SSL.ssl_issuer_common_name
- All_Certificates.SSL.ssl_hash
security_domain: network