Monitor for abnormal certificate enrollment and usage activity in Active Directory Certificate Services (AD CS), registry access to certificate storage locations, and unusual process executions that attempt to export or access private keys.
| Data Component | Name | Channel |
|---|---|---|
| Active Directory Credential Request (DC0084) | WinEventLog:Security | EventCode=4886, 4887, 4899, 4900, 4768, 4624 |
| Windows Registry Key Access (DC0050) | WinEventLog:Security | EventCode=4657 |
| Field | Description |
|---|---|
| EKU_Thresholds | Organizations may tune which Extended Key Usage (EKU) values are considered risky. |
| TimeWindow | Defines how quickly multiple certificate enrollments from the same entity should trigger correlation alerts. |
| LogonContext | Differentiate between service accounts and interactive user accounts to reduce false positives. |
Monitor for file access to certificate directories, commands invoking OpenSSL or PKCS#12 utilities to export or modify certificates, and processes accessing sensitive key storage paths.
| Data Component | Name | Channel |
|---|---|---|
| File Access (DC0055) | auditd:SYSCALL | open, read: /etc/ssl/, /etc/pki/, ~/.pki/nssdb/ |
| Command Execution (DC0064) | auditd:SYSCALL | execve: openssl pkcs12, certutil, keytool |
| Field | Description |
|---|---|
| PathExclusions | Exempt trusted automated services regularly accessing PKI stores. |
| UserContext | Differentiate root/system accounts versus user-level access to key material. |
Monitor for security commands and API calls interacting with the Keychain, as well as file access attempts to stored certificates and private keys in ~/Library/Keychains or /Library/Keychains.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | macos:unifiedlog | process calling security find-certificate, export, or import |
| File Access (DC0055) | macos:keychain | ~/Library/Keychains, /Library/Keychains |
| Field | Description |
|---|---|
| ApplicationAllowList | Whitelist legitimate apps that interact with Keychain to reduce false positives. |
Monitor for abnormal certificate enrollment events in identity platforms, unexpected use of token-signing certificates, and unusual CA configuration modifications.
| Data Component | Name | Channel |
|---|---|---|
| Active Directory Object Modification (DC0066) | azure:SigninLogs | Add certificate credential, Update certificate credential |
| Application Log Content (DC0038) | m365:unified | certificate added or modified in application credentials |
| Field | Description |
|---|---|
| GeoContext | Detect certificate-related changes occurring from unusual geographic locations. |
| Thresholds | Adjust enrollment/issuance request volume thresholds per tenant size. |