Use Cert History to Build Detections

The Certificate Timeline provides a visual history of when a certificate was presented on hosts and web properties. This visualization gives threat hunters historical context that simplifies the detection of patterns, trends, and anomalies that could signal malicious behavior.

Certificates can act as strong indicators of compromise (IOCs) because threat actors often reuse a certificate across multiple assets over time. If a certificate is used by a threat actor, they will likely use it again. While a certificate may currently be used by only a few hosts, uncovering the assets that previously presented it helps you identify related infrastructure, build better detections, and track how attacker infrastructure has evolved over time.

You can pivot directly from the timeline to investigate the historical configurations of hosts and web properties, giving you a faster and deeper understanding of adversary behavior.

Use the Certificate Timeline

  1. Go to a host.

  2. Locate the certificate and click on Fingerprint.

  3. On the Certificate Details page, click the Timeline tab.

  4. The Timeline tab displays the history of this certificate within a defined time range. Each line of the bar chart represents a host or web property that presented this certificate. In the screenshot below, the certificate is present on numerous hosts beginning on Apr 23.

    Sort the timeline by different dimensions to refine your search results: Host/Web, Time Range, Port, and Protocol.

    This screenshot truncated for brevity.

  5. Click a bar plot for an asset to see additional information about that asset at that point in time, including other field-value pairs of interest and threats.