Splunk Enterprise Security

How to create Splunk alert to detect unauthorized certificate usage?

New Member


I am trying to extract a new field to spot unauthrorised certificate usage on a server.  Under event ID 4768, there is a "Certificate Information" heading followed by Certificate Issuer Name, Certificate Serial Number, and Certificate Thumbprint. Ideally, I want to extract the Certificate Thumbprint field so I can create an alert. But because the logs I have so far have empty Certificate Information fields, it's making it difficult to create an expression. Does anyone have ideas how to extract the Certificate Thumbprint field?




Labels (1)
0 Karma
Get Updates on the Splunk Community!

Splunk APM & RUM | Upcoming Planned Maintenance

There will be planned maintenance of the streaming infrastructure for Splunk APM and Splunk RUM in the coming ...

Part 2: Diving Deeper With AIOps

Getting the Most Out of Event Correlation and Alert Storm Detection in Splunk IT Service Intelligence   Watch ...

User Groups | Upcoming Events!

If by chance you weren't already aware, the Splunk Community is host to numerous User Groups, organized ...