LoFP / false positives may be generated in environments where administrative users or processes are allowed to generate certificates with subject alternative names. sources or templates used in these processes may need to be tuned out for accurate function.

`wineventlog_security` EventCode IN (4886,4887) Attributes="*SAN:*upn*" Attributes="*CertificateTemplate:*" 
| stats count min(_time) as firstTime max(_time) as lastTime values(name) as name values(status) as status values(Subject) as ssl_subject values(SubjectKeyIdentifier) as ssl_hash by Computer, EventCode, Requester, Attributes, RequestId 
| `security_content_ctime(firstTime)`  
| `security_content_ctime(lastTime)`
| fillnull 
| rex field=Attributes "(?i)CertificateTemplate:(?<object>[^\r\n]+)" 
| rex field=Attributes "(?i)ccm:(?<req_src>[^\r\n]+)" 
| rex max_match=10 field=Attributes "(?i)(upn=(?<req_user_1>[^\r\n&]+))" 
| rex max_match=10 field=Attributes "(?i)(dns=(?<req_dest_1>[^\r\n&]+))" 
| rex field=Requester "(.+\\\\)?(?<src_user>[^\r\n]+)" 
| eval flavor_text = case(EventCode=="4886","A suspicious certificate was requested using request ID: ".'RequestId',EventCode=="4887", "A suspicious certificate was issued using request ID: ".'RequestId'.". To revoke this certifacte use this request ID or the SSL fingerprint [".'ssl_hash'."]"), dest = upper(coalesce(req_dest_1,req_dest_2)), src = upper(coalesce(req_src,Computer)) 
| fields - req_* 
| rename Attributes as object_attrs, EventCode as signature_id, name as signature, RequestId as ssl_serial, Requester as ssl_subject_common_name
| `windows_steal_authentication_certificates___esc1_abuse_filter`

`wineventlog_security`
EventCode IN (4887)
Attributes="*SAN:*upn*"
Attributes="*CertificateTemplate:*"

| stats
    count
    min(_time) as firstTime
    max(_time) as lastTime
    values(name) as name
    values(status) as status
    values(Subject) as ssl_subject
    values(SubjectKeyIdentifier) as ssl_hash
    by Computer, EventCode, Requester, Attributes, RequestId

| rex field=Attributes "(?i)CertificateTemplate:(?<object>[^\r\n]+)"

| rex field=Attributes "(?i)ccm:(?<req_src>[^\r\n]+)"

| rex max_match=10 field=Attributes "(?i)(upn=(?<req_user_1>[^\r\n&]+))"

| rex max_match=10 field=Attributes "(?i)(dns=(?<req_dest_1>[^\r\n&]+))"

| rex field=Requester "(.+\\\\)?(?<src_user>[^\r\n]+)"

| rename
    Attributes as object_attrs
    EventCode as signature_id
    name as signature
    RequestId as ssl_serial
    Requester as ssl_subject_common_name

| eval user = lower(coalesce(req_user_1, req_user_2))

| join user [
    search `wineventlog_security`
    EventCode=4768
    CertThumbprint=*
    
| rename
        TargetUserName as user
        Computer as auth_dest
        IpAddress as auth_src
    
| fields auth_src, auth_dest, user
]

| eval
    src = upper(coalesce(auth_src, req_src)),
    dest = upper(coalesce(auth_dest, req_dest_1, req_dest_2)),
    risk_score = 50

| eval flavor_text = case(
    signature_id=="4887",
    "User account [" . user . "] authenticated after a suspicious certificate was issued for it by [" . src_user . "] using certificate request ID: " . ssl_serial
)

| fields - req_* auth_*

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `windows_steal_authentication_certificates___esc1_authentication_filter`