LoFP LoFP / t1649

t1649

TitleTags
false positives may be generated based on an automated process or service that exports certificates on the regular. review is required before setting to alert. monitor for abnormal processes performing an export.
false positives may be generated in environments where administrative users or processes are allowed to generate certificates with subject alternative names. sources or templates used in these processes may need to be tuned out for accurate function.
false positives may be present and may need to be reviewed before this can be turned into a ttp. in addition, remove .pfx (standalone) if it's too much volume.
false positives may be present based on automated tooling or system administrators. filter as needed.
false positives may be present in some instances of legitimate applications requiring to export certificates. filter as needed.
false positives will be generated based on normal certificate requests. leave enabled to generate risk, as this is meant to be an anomaly analytic.
false positives will be generated based on normal certificate store backups. leave enabled to generate risk, as this is meant to be an anomaly analytic. if cs backups are not normal, enable as ttp.
false positives will be generated based on normal certificates issued. leave enabled to generate risk, as this is meant to be an anomaly analytic.
filtering may be requried based on automated utilities and third party applications that may export certificates.
it is possible administrators or scripts may run these commands, filtering may be required.
legitimate application requesting certificate exports will trigger this. apply additional filters as needed
unlikely