How-To: Export EZCA PKI Logs to a SIEM Solution

EZCA enables your security team to monitor critical user actions by pushing the information to your SIEM.

Introduction - How to Send your PKI Logs to your SIEM

EZCA enables your security team to monitor critical user actions by pushing the information to your SIEM. The following SIEM providers are currently supported:

  • Azure Sentinel
  • CrowdStrike Falcon LogScale
  • Splunk

If your SIEM provider is not currently supported email your Keytos contact and request a connector for that specific provider.

Prerequisites

Video Version - How to Send your PKI Logs to your SIEM

How to Connect EZCA to Your SIEM Solution

Setup Azure Sentinel

  1. Go to the EZCA Portal.
  2. Click on Settings EZCA Settings
  3. Expand your subscription’s advanced settings EZCA Settings
  4. Enable the Send Audit Logs to SIEM option. Azure PKI send longs to Sentinel
  5. Select Sentinel as the SIEM Provider. Set Sentinel as the SIEM in EZCA
  6. In another tab, go to the Azure Portal
  7. Select the log analytics connected to your Sentinel instance.
  8. Click on Agents Management Azure Log Analytics for Sentinel
  9. Copy Your Workspace ID Azure Log Analytics for Sentinel
  10. Go back to the EZCA tab and paste it in the Workspace ID field. EZCA Settings
  11. Go back to the Azure tab and copy the primary key. Get Primary Key for Azure Log Analytics
  12. Go back to the EZCA tab and paste the key in the Workspace Key field. EZCA Settings
  13. Click the Test Connection button, this will create a test log in your SIEM to make sure EZCA can write to the EZCA. EZCA Settings
  14. If the connection test is successful, click Save changes EZCA Settings
  15. EZCA will now send your security logs to your SIEM. If an error occurs it will email your subscription PKI administrators.

Setup CrowdStrike Falcon LogScale

  1. Go to the EZCA Portal.
  2. Click on Settings. EZCA Settings
  3. Expand your subscription’s advanced settings. EZCA Settings
  4. Enable the Send Audit Logs to SIEM option. Azure PKI send longs to Sentinel
  5. Select CrowdStrike Falcon LogScale as the SIEM Provider. Set CrowdStrike Falcon LogScale as the SIEM in EZCA
  6. In another tab, go to your CrowdStrike Falcon LogScale instance.
  7. Click on the Settings tab.
  8. Select the Ingest Tokens menu.
  9. Click on the Add Token button. CrowdStrike Falcon LogScale Tokens
  10. Enter the token name
  11. Assign the json parser and click Create CrowdStrike Falcon LogScale Token for your cloud PKI
  12. Copy the token and the ingest host name. CrowdStrike Falcon LogScale Token for your cloud PKI
  13. Go back to the EZCA tab.
  14. Paste the ingest host name in the Ingestion Endpoint field.
  15. Paste the token in the Ingestion Token field.
  16. Click the Test Connection button, this will create a test log in your SIEM to make sure EZCA can write to the SIEM. EZCA Settings
  17. If the connection test is successful, click Save changes EZCA Settings

Setup Splunk

  1. Go to the EZCA Portal.
  2. Click on Settings. EZCA Settings
  3. Expand your subscription’s advanced settings. EZCA Settings
  4. Enable the Send Audit Logs to SIEM option. Azure PKI send longs to Sentinel
  5. Select Splunk as the SIEM Provider. Set Splunk as the SIEM in EZCA
  6. In another tab, go to your Splunk instance.
  7. Go to Data inputs by clicking on the Settings menu. Splunk Data Inputs
  8. Add a new Http Event Collector. Splunk Data Inputs http event collector
  9. Enter “Keytos” as the Name click next.
  10. Leave input settings with the default values and click Next.
  11. Click Submit. Create Splunk http input
  12. Copy the Splunk token we just created. Splunk http token
  13. Now let’s go back to the EZCA portal and copy the url of your splunk instance and the token we just created.
  14. Click the Test Connection"** button, this will create a test log in your SIEM to make sure EZCA can write to the SIEM. test splunk connection for cloud PKI
  15. If the connection test is successful, click Save changes EZCA Settings Save Changes
  16. EZCA will now send your security alerts to your SIEM. If an error occurs it will email your subscription administrators. See below to see the different events EZCA will send.

How To Create Alerts in Your SIEM to Monitor Your PKI

SIEMs allow you to create alerts for critical operations or abnormal behavior. We recommend setting up alerts for any high criticality event, and closely monitor medium and low events. Below are sample queries that can be used to create alerts.

How To Detect Certificate Request Denied

Certificate request denied is an event that is created when a user requests a certificate that they do not have permission to request. It is important to alert on this event since it can be an attacker attempting to escalate privileges by requesting a certificate. Below is a sample query to retrieve this specific event:

EZCA_Certificates_CL | where  EventID_d == 4888
LogType = "EZCA_Certificates" and EventID = 4888
index=your_index sourcetype="EZCA_Certificates" EventID=4888

How To Detect CA Permissions Changed

CA Permission Changed is an event that is created when a user changes the security permissions for a CA. This event should be monitored since it is a low frequency high impact action that could indicate a compromise to your PKI administrator’s accounts. Below is a sample query to retrieve this specific event:

EZCA_CAs_CL | where EventID_d == 4882
LogType = "EZCA_CAs" and EventID = 4882
index=your_index sourcetype="EZCA_CAs" EventID=4882

How To Detect CA Changes Denied

CA Permission Denied is an event that is created when a user attempts to change the security permissions for a CA without having the proper security permissions. It is important to alert on this event since it can be an attacker attempting to escalate privileges by changing the security configuration of your certificate authority. Below is a sample query to retrieve this specific event:

EZCA_CAs_CL | where EventID_d == 92
LogType = "EZCA_CAs" and EventID = 92
index=your_index sourcetype="EZCA_CAs" EventID=92

How To Detect a Deleted CA

CA Deleted is an event that is created when a user deletes a CA. This event should be monitored since it is a low frequency high impact action that could indicate a compromise to your PKI administrator’s accounts. Below is a sample query to retrieve this specific event:

EZCA_CAs_CL | where EventID_d == 19
LogType = "EZCA_CAs" and EventID = 19
index=your_index sourcetype="EZCA_CAs" EventID=19

Cloud PKI SIEM Events Reference

CA Operation Events

Event ID Event Summary Description Potential Criticality
4882 The security permissions for Certificate Services changed A change in CA settings that might give or remove critical permissions High
92 CA change denied due to insufficient permissions A user attempted to change CA settings without the proper permissions High
23 Intermediate CA request rejected A new Intermediate CA request has been rejected High
19 CA deleted This indicates that a CA was deleted High
28 Intermediate CA was imported A new Intermediate CA has been created chaining to an external CA Medium
22 Intermediate CA created with EZCA Root A new Intermediate CA has been created chaining to an EZCA CA Medium
12 CA was renewed A CA has been renewed Low

Certificate Operation Events

Event ID Event Summary Description Potential Criticality
4888 Certificate request denied due to insufficient permissions A user attempted to request a certificate without the proper permissions High
4870 A certificate has been revoked This can cause an outage if was done by mistake or the new certificate is not added to all the endpoints that use the certificate Medium
4872 Publish CRL This is an even that the CRL has been published, this does not have to be tracked as we take care of it for you. Low
4887 Certificate was created This event indicates a certificate was created successfully Low