Certificate History

The Certificate Timeline provides a visual history of when a certificate was presented on hosts and web properties. This visualization provides threat hunters with a historical context that simplifies the discovery of patterns, trends, and anomalies that could signal malicious behavior.

Certificates can act as strong indicators of compromise (IOCs) because threat actors often reuse a certificate across multiple assets over time. If a certificate is used by a threat actor, they will likely use it again. While a certificate may be used by only a few hosts, uncovering the assets that previously presented it helps to identify related infrastructure, build better queries, and track the evolution of attack infrastructure over time.

You can pivot directly from the timeline to investigate the historical configurations of hosts and web properties, providing a faster and deeper understanding of adversary behavior.

Certificate Timeline

1. Go to a host or a web property.

2. Locate the certificate and click on Fingerprint.

3. On the Certificate Details page, click the Timeline tab.

4. The Timeline tab displays the history of this certificate within a defined time range. Each line of the bar chart represents a host or web property that presented this certificate. In the screenshot below, the certificate is present on numerous hosts beginning on Apr 23.

   Sort the timeline by different dimensions to refine your search results: Host/Web, Time Range, Port, and Protocol.

   

5. Click a bar plot for an asset to view additional information about that asset at that specific point in time.

   In the example below, when the host was presented this certificate, it showed no detected threats, 14 services, the JARM fingerprint, and banner hash that were observed on the host.