Switching from the Encryption Auditing Trigger to the Threat ID: Certificates trigger reduced my trigger load by 20% . Yay!
Not sure why they didn’t include an IP ignore list like the Encryption Auditing Trigger had, but I absolutely need a way to ignore some IPs. I have proxy servers that bring in a lot of external certs that we don’t want to monitor, so I added it back in and it seems to be working well.
I also liked the way the Encryption Auditing Trigger gave you all the info on one line - server IP, cert name, expiration date. With this trigger, I can’t get all this info without drilling into the device or going into the records. I couldn’t figure out how to tweak the trigger to make it do this.