This detection rule identifies suspicious activities related to Active Directory Certificate Services (AD CS) involving the issuance and immediate use of authentication certificates, specifically when issued with a Subject Alternative Name (SAN). The analytic continuously monitors Windows Security Event Logs utilizing EventCode 4887, which logs the issuance of certificates, and correlates this with EventCode 4768, which denotes the authentication process using those certificates. The detection mechanism is crucial because security misconfigurations in certificate templates might allow attackers to gain elevated privileges or even compromise the entire environment by using these generated certificates maliciously. The rule assumes vigilance in environments that frequently interact with certificate issuance, highlighting the need for enhanced auditing to catch potential abuse of certificate requests. In case of legitimate administrative usage of SANs, this rule can raise false positives that must be calibrated with the environment's exception rules.