Actor "certificate" is creating Administrative Activity alerts when licenses are updated

%3CLINGO-SUB%20id%3D%22lingo-sub-730197%22%20slang%3D%22en-US%22%3EActor%20%22certificate%22%20is%20creating%20Administrative%20Activity%20alerts%20when%20licenses%20are%20updated%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-730197%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%0A%3CP%3EI%20have%20created%20a%20custom%20threat%20detection%20policy%20to%20alert%20on%20administrative%20activity%20in%20CAS.%20I%20have%20added%20a%20filter%20to%20not%20match%20on%20specific%20actor%20accounts%20such%20as%20Sync_%20and%20other%20system-related%20activity.%20I%20want%20to%20catch%20global%20admin%20or%20other%20user-related%20admin%20activity.%20However%2C%20I'm%20seeing%20that%20it's%20alerting%20on%20license%20changes%20by%20actor%20%22certificate%22.%20I'm%20unable%20to%20search%20for%20that%20actor%20account%20in%20order%20to%20have%20more%20accurate%20alerts.%20Any%20suggestions%20would%20be%20helpful.%20Thank%20you.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-730197%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-730229%22%20slang%3D%22en-US%22%3ERe%3A%20Actor%20%22certificate%22%20is%20creating%20Administrative%20Activity%20alerts%20when%20licenses%20are%20updat%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-730229%22%20slang%3D%22en-US%22%3E%3CP%3E%22Certificate%22%20is%20a%20Microsoft-owned%20service%20principal%2C%20responsible%20for%20some%20background%20operations.%20You%20can%20see%20it%20on%20many%20Group-related%20events%20for%20example%2C%20as%20well%20as%20service%20principal%2Fapplication%20related%20ones.%20It's%20a%20really%20dumb%20name%20to%20put%20on%20such%20object%2C%20no%20argument%20about%20it...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-730230%22%20slang%3D%22en-US%22%3ERe%3A%20Actor%20%22certificate%22%20is%20creating%20Administrative%20Activity%20alerts%20when%20licenses%20are%20updat%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-730230%22%20slang%3D%22en-US%22%3EThanks%20for%20the%20feedback.%20That's%20what%20I%20figured.%20If%20I%20can%20only%20search%20it%20by%20UPN%20or%20display%20name%2C%20I%20can%20add%20it%20to%20my%20exception%20list.%20Does%20it%20have%20another%20name%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-731891%22%20slang%3D%22en-US%22%3ERe%3A%20Actor%20%22certificate%22%20is%20creating%20Administrative%20Activity%20alerts%20when%20licenses%20are%20updat%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-731891%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20can%20search%20for%20it%20by%20using%20%22Certificate%22%20as%20the%20query.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-738227%22%20slang%3D%22en-US%22%3ERe%3A%20Actor%20%22certificate%22%20is%20creating%20Administrative%20Activity%20alerts%20when%20licenses%20are%20updat%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-738227%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%20Thanks%20Vasil.%20I%20could%20not%20find%20it%20as%20the%20actor.%20However%2C%20after%20much%20digging%20I%20was%20able%20to%20create%20a%20filter%20where%20Activity%20Object%20%7C%20Activity%20Object%20ID%20does%20not%20equal%20to%20%22certificate%22.%20We're%20good%20now%2C%20thanks!%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

Hello,

I have created a custom threat detection policy to alert on administrative activity in CAS. I have added a filter to not match on specific actor accounts such as Sync_ and other system-related activity. I want to catch global admin or other user-related admin activity. However, I'm seeing that it's alerting on license changes by actor "certificate". I'm unable to search for that actor account in order to have more accurate alerts. Any suggestions would be helpful. Thank you. 

 

 

4 Replies

"Certificate" is a Microsoft-owned service principal, responsible for some background operations. You can see it on many Group-related events for example, as well as service principal/application related ones. It's a really dumb name to put on such object, no argument about it...

Thanks for the feedback. That's what I figured. If I can only search it by UPN or display name, I can add it to my exception list. Does it have another name?

You can search for it by using "Certificate" as the query.

@Vasil Michev Thanks Vasil. I could not find it as the actor. However, after much digging I was able to create a filter where Activity Object | Activity Object ID does not equal to "certificate". We're good now, thanks!