RISKIQ SSL certificate lookups that return an exact match

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of RISKIQ SSL certificate lookups that return an exact match

    RISKIQ SSL certificate lookups provide exact match results that appear on theSSL Certificatestab of the security incident record in ServiceNow. These results include detailed information about SSL certificate issuers, helping security analysts verify the validity of websites involved in security incidents.

    Show full answer Show less

    Exact matches display the certificate authority’s (CA) name, which is critical for determining if a certificate is issued by a trusted source or if further investigation is needed.

    Using the SSL Certificates Tab

    To view SSL certificate lookup results:

    • Ensure the Tabbed forms setting is enabled in System Settings under Forms for easier navigation.
    • Open the security incident record and select the SSL Certificates tab.
    • The tab lists certificate details such as Issuer Name, Issuer Organization, and Issued to.

    Interpreting Exact Match Results

    Valid SSL Certificate Example:

    • An issuer like R3 with a known CA organization such as Let's Encrypt indicates a valid and trusted SSL certificate.
    • Clicking the issuer name or info icon opens a detailed entry record with a Raw Data tab showing entities under the Entity name column.
    • The Category, Subject, and Issuer fields correspond to recognizable and distinct entities, confirming the certificate is issued by a trusted public CA and is not self-signed.

    Self-Signed SSL Certificate Example:

    • If the Issuer Name matches the organization name (e.g., mail.dgtnetworks.com) and the Issuer and Subject are the same entity, this suggests a self-signed certificate.
    • Self-signed certificates are not issued by trusted public CAs and may require additional security review.
    • The Raw Data tab helps confirm this by showing entities that are not recognized public certificate authorities.

    Why This Matters

    This functionality enables security analysts to quickly validate SSL certificates associated with incidents, distinguishing between trusted certificates and potentially suspicious self-signed ones. This aids in assessing the legitimacy of websites involved in security events, improving incident response accuracy and efficiency.

    RISKIQ SSL certificate lookup results for an exact match are displayed on the SSL Certificates tab on the security incident record. An exact match provides a valid certificate authority name, which helps a security incident analyst determine the validity of a website.

    Exact match for a valid SSL certificate

    The following example shows a valid issuer of an SSL certificate from an exact match in the lookup results. Follow the steps to view the results and raw data.

    Note:
    The figures in the following examples are shown with the Tabbed forms setting active in the System Settings. If your screen does not match the view shown below, follow the steps to set tabbed forms.
    1. In the upper-right corner of the banner frame, click the Settings icon.
    2. In the System Settings dialog box that is displayed, click Forms and verify that Tabbed forms and With the Form are selected.
    1. In the security incident record, click the SSL Certificates tab.
      Figure 1. SSL Certificates tab
      SSL Certificates tab on the Security Incident record.

      Information about the certificate issuer’s name, the issuer's organization, and who the certificate is issued to (Organization) is displayed along with other data.

      18 items are displayed in the Issuer Name column. The second item (R3) provides a valid certificate authority name (Let's Encrypt) in the Issuer Organization column.

      No information in the Issuer Organization and Issued to columns is displayed for the second item (mail.dgtnetworks.com).
    2. Click the second item in the Issuer namecolumn, which is (R3) to open the entry record. Alternatively, click the information icon next to the item followed by Open record.
    3. Select the Raw Data tab.
      Figure 2. Raw Data tab
      Raw data tab.

      The SSL Certificate Entry record includes the observable in the Raw Data tab under the Entity name column, as well as other data.

      Note in the Category column, the Subject, and Issuer correspond to recognizable entities in the Entity name column. The issuer of this certificate is most likely valid and from a trusted public certificate authority. Also note, the Subject, and Issuer are different entities. These separate entities indicate that the certificate is not an internally signed certificate from an unknown certificate authority.

    Exact match for a self-signed SSL Certificate

    The following example shows results for a self-signed SSL certificate from the lookup. Follow the steps to view the results and raw data.

    1. Navigate back to the security incident record. In the Issuer Name column, click the other item (mail.dgtnetworks.com).
      Figure 3. SSL Certificates tab
      SSL Certificate Results tab.
    2. On the open record, select the Raw Data tab.
      Figure 4. Raw Data tab
      SSL Raw Data tab.

      The Category column indicates the Issuer (mail.dgtnetworks.com and dgtsbs.DGTNetworks.local) are not trusted public certificate authorities. Also note the Issuer and Subject are the same entity (dgtsbs.DGTNetworks.local), and each contains the name of the observable (dgtsbs). This certificate is possibly a self-signed certificate. Self-signed certificates may warrant further investigation, as these certificates are not issued by a known certificate authority.