Jun 30 2019 08:11 AM
Hello,
I have created a custom threat detection policy to alert on administrative activity in CAS. I have added a filter to not match on specific actor accounts such as Sync_ and other system-related activity. I want to catch global admin or other user-related admin activity. However, I'm seeing that it's alerting on license changes by actor "certificate". I'm unable to search for that actor account in order to have more accurate alerts. Any suggestions would be helpful. Thank you.
Jun 30 2019 09:48 AM
"Certificate" is a Microsoft-owned service principal, responsible for some background operations. You can see it on many Group-related events for example, as well as service principal/application related ones. It's a really dumb name to put on such object, no argument about it...
Jun 30 2019 10:02 AM
Jul 01 2019 09:58 AM
You can search for it by using "Certificate" as the query.
Jul 04 2019 06:23 AM
@Vasil Michev Thanks Vasil. I could not find it as the actor. However, after much digging I was able to create a filter where Activity Object | Activity Object ID does not equal to "certificate". We're good now, thanks!