The ESA Activity Monitoring rules for monitoring changes to root CA certificates are vast limits vendor rules. They are stored in the configuration file uberAgent-ESA-am-vastlimits.conf.
The rules detect certificate chain cloning and cloned root trust attacks by monitoring writes to user and machine registry keys. For details, check the following rules:
Detect AuthRoot, CA and Root certificate changes per machine
Detect AuthRoot, CA and Root certificate changes per user
Root CA certificate monitoring
The ESA Activity Monitoring rules for monitoring changes to root CA certificates are vast limits vendor rules. They are stored in the configuration file
uberAgent-ESA-am-vastlimits.conf.The rules detect certificate chain cloning and cloned root trust attacks by monitoring writes to user and machine registry keys. For details, check the following rules:
Detect AuthRoot, CA and Root certificate changes per machineDetect AuthRoot, CA and Root certificate changes per user