This rule monitors export activities of private keys and the installation of new certificates on Cisco devices. By leveraging commands like `crypto pki export`, `crypto pki import`, and `crypto pki trustpoint`, the system identifies potentially unauthorized actions that could lead to credential theft or misuse. Monitoring these commands is crucial as they can indicate attempts to exfiltrate sensitive cryptographic material or manipulate trust settings within the device. The rule operates by detecting specified keywords in the logs of Cisco AAA services, ensuring that any unexpected usage of cryptographic commands is flagged for further review. It is essential for maintaining the integrity of network security and protecting confidential communications. The rule may lead to false positives, particularly since export commands may not frequently be executed by administrators. Therefore, it is recommended to whitelist known good certificates to reduce unnecessary alerts.