A user modified the CA audit policy

Cortex XSIAM Analytics Alert Reference by Alert name

Product: Cortex XSIAM
Last date published: 2025-06-24
Category: Analytics Alert Reference
Index by: Alert name

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires one of the following data sources: Windows Event Collector OR XDR Agent with eXtended Threat Hunting (XTH)
Detection Modules	Identity Analytics
Detector Tags	Active Directory Certificate Services Analytics
ATT&CK Tactic	Defense Evasion (TA0005)
ATT&CK Technique	Impair Defenses: Disable Windows Event Logging (T1562.002)
Severity	Low

Description

This may indicate that an attacker is attempting to cover their tracks before an AD CS attack.

Attacker's Goals

An attacker is attempting to cover their tracks before an AD CS attack.

Investigative actions

Check the user account modifying the CA audit policy and verify its activity.
Review AD CS logs to identify any unauthorized certificate issuances, modifications, or template changes.
Examine recent activity from the user account, including logon patterns and privilege changes.
Continue monitoring the account for any subsequent actions that may indicate suspicious behavior.