Certificate Transparency Log Monitoring, Alerting and Investigation

DigitalStakeout now has public Certificate Transparency Logs. CT logs enable you to monitor and investigate public SSL/TLS certificates issued for domains in near real-time.

Quickly identify rogue certificates issued for domains

Does your organization have a solution to detect malicious or fraudulent certificates? Do you know the digital footprint of your brand? When certificate authorities (CAs) issue certificates, they must publish certificates to at least two public logs known as Certificate Transparency Logs (CT Logs). The CT logs carry important data about all trusted certificates on the Internet. When someone hosts a website on HTTPS, a certificate needs to be created first. Certificate Transparency Logs enable defenders to spot malicious certificates and malicious domains before they are used in attacks. You can also use CT logs as a source of data to map out your brand’s digital footprint.

certificate transparency logs in DigitalStakeout Footprint
find attack surface in certificate transparency logs in DigitalStakeout Footprint

Discover your digital attack surface

The digital attack surface is where hackers, threat actors or unauthorized users can exploit or compromise digital systems. The greater the digital footprint of any person or organization, the greater the digital risk and the greater attack surface and cyber risk. Enterprise digital risk increases as a result of an increased day-to-day dependency on digital systems and applications. Since so much infrastructure relies on HTTPS communication, certificate logs expose a wealth of information about your current or future digital footprint.

Search certificate transparency logs with ease

Search CT logs by full-text search, entity, and tags visually without learning a technical query language. Certificate Transparency logs are “append-only” and publicly-auditable ledgers of certificates being created, updated, and expired. These logs are produced in real-time by Cloudflare, Google, DigiCert, Let’s Encrypt, and others. These entries will produce more than 1 billion log events a month.


{"message_type": "certificate_update", "data": {"leaf_cert": {"not_after": 1633830762, "signature_algorithm": "sha256, rsa", "extensions": {"subjectKeyIdentifier": "46:02:1D:2F:6C:BB:36:43:60:1C:A6:5E:64:4D:9B:33:EA:31:99:C6", "authorityKeyIdentifier": "keyid:2A:AB:91:49:27:EE:32:A8:AB:53:C6:2B:44:A7:AB:19:7C:E8:DB:B5\n", "extendedKeyUsage": "TLS Web server authentication, TLS Web client authentication", "subjectAltName": "DNS:microsoft.com, DNS:*.vault.microsoft.com, DNS:keyvault.microsoft.com, DNS:*.microsoft.com", "keyUsage": "Digital Signature, Key Encipherment", "certificatePolicies": "Policy: 2.23.140.1.2.2\nPolicy: 1.3.6.1.4.1.<code>4146.1.20\n CPS: https://www.globalsign.com/repository/", "ctlPoisonByte": true, "authorityInfoAccess": "OCSP - URI:http://ocsp.staging.globalsign.com/gsrsaovsslca2018\nCA Issuers - URI:http://secure.staging.globalsign.com/cacert/gsrsaovsslca2018.crt\n", "basicConstraints": "CA:FALSE"}, "fingerprint": "7B:51:A2:4D:53:7C:6C:A7:7B:B1:1D:26:E3:8C:A7:DE:B1:16:0F:FC", "all_domains": ["*.microsoft.com", "*.vault.microsoft.com", "keyvault.microsoft.com", "microsoft.com"], "serial_number": "64762370C03BFC8E9801B1B", "subject": {"C": "US", "CN": "*.microsoft.com", "L": "Redmond", "O": "Microsoft", "ST": "WA", "emailAddress": null, "OU": "Microsoft Corporation", "aggregated": "/C=US/CN=*.microsoft.com/L=Redmond/O=Microsoft/OU=Microsoft Corporation/ST=WA"}, "not_before": 1615341162, "issuer": {"C": "BE", "CN": "GlobalSign RSA OV SSL CA 2018 - Staging1", "L": null, "O": "GlobalSign nv-sa", "ST": null, "emailAddress": null, "OU": null, "aggregated": "/C=BE/CN=GlobalSign RSA OV SSL CA 2018 - Staging1/O=GlobalSign nv-sa"}}, "cert_link": "http://ct.googleapis.com/logs/solera2021/ct/v1/get-entries?start=526187&amp;end=526187", "source": {"url": "ct.googleapis.com/logs/solera2021/", "name": "Google 'Solera2021' log"}, "update_type": "PrecertLogEntry", "seen": 1615341233.455071, "cert_index": 526187}}

DigitalStakeout now aggregates all available CT logs. We also extract data from the logs so they can be searchable fields. Users can query this log data by Boolean search, extracted entity, or fuzzy match with speed and precision.

boolean search certificate transparency logs in DigitalStakeout Footprint

Get Certificate Transparency Log Monitoring, Alerting and Investigation Demo

How does Certificate Transparency Log Monitoring and Alerting work?

To detect and mitigate certificate threats requires constant visibility into numerous CTL log sources. Customers can monitor new certificate logs and filter through the noise. With DigitalStakeout Scout, you can monitor our real-time CTL feed, and our technology filters millions of entries to the few that threaten your organization.

It’s important to manage these risks in real-time. You should be alerted to these discoveries within minutes. Failing to act on a digital threat to your organization can lead to serious reputational and financial impacts. In regulated industries, these incidents can also lead to compliance violations that can come with financial penalties. Cyber insurance providers monitor data sources like public CT logs for future evidence against a claim.

DigitalStakeout simplifies threat monitoring and alerting by leveraging machine learning and artificial intelligence. Our proprietary technology automatically detects and alarms customers’ to threats that most digital risk tools & services fail to address or miss. You can investigate certificate logs easily with a Boolean search. DigitalStakeout’s best-in-class customer support gives you access to subject matter expert resources to detect and take action against these and other digital risks to your organization.

how certificate transparency logs monitoring with DigitalStakeout Scout works

Take the Next Step to Certificate Transparency Visibility