Description: Before the May 10, 2022 security update, certificate-based authentication would not account for a dollar sign ($) at the end of a machine name. This allowed related certificates to be emulated (spoofed) in various ways.
References: 1, 2, 3
SPL:
index="windows" source="XmlWinEventLog:System" EventCode IN (39,41,40,48,41,49)
| eval Time=strftime(_time, "%Y-%m-%d %H:%M:%S %z")
| table Time, index, host, UserData_Xml