This rule detects the issuance of new authentication certificates via Active Directory Certificate Services (AD CS) by monitoring Windows Event Log Security with Event ID 4887. When a certificate is issued, it logs pertinent details such as the requester context, the DNS hostname of the requester, and the time of the request. This monitoring is essential as it may indicate malicious activity, where an attacker could misuse the issued certificate for impersonation, privilege escalation, or maintaining persistence in the environment. Such activities would necessitate deeper investigation to ensure the security of the AD environment. The detection captures relevant attributes and organizes them for further analysis to correlate suspicious events related to certificate issuance.