How-To: Export your Cloud PKI Logs to Datadog

EZCA enables your security team to monitor critical user actions by pushing the information to your SIEM. In this page we will show you how to connect your Cloud PKI logs to Datadog.

Prerequisites

How To Export Your Cloud PKI Audit Logs To Datadog

How To Enable Log Export in EZCA Portal

  1. Go to the EZCA Portal.

  2. Click on Settings.

    EZCA Settings

  3. Expand your subscription’s Advanced Settings.

    EZCA Subscription Advanced Settings

  4. Enable the Send Audit Logs to SIEM option.

    EZCA Send Audit Logs to SIEM checkbox

How To Configure the Datadog Exporter in the Datadog Portal

  1. In another tab, go to the Datadog Logs API docs: Datadog Docs.

  2. Look on the top right and check that you have the correct Datadog site selected.

    Getting HTTP endpoint from Datadog Docs

  3. Select the correct site, then copy the corresponding URL.

    Finding HTTP endpoint from Datadog Docs

  4. Now go to your Datadog Instance. Here you will find your personal settings.

    Datadog account menu and user settings

  5. Hover over your username and click the API Keys option.

    Datadog API keys tab in user settings

  6. Then click the + New Key button

    Datadog API keys page with + New Key button

  7. Give your key a name and click on the Create Key button

    Datadog dialog to name and create a new API key

  8. Copy your key and hit the Finish button.

    Datadog screen showing newly created API key ready to copy

How To Configure the Datadog SIEM in EZCA Portal

  1. Now go back to the EZCA Portal.

  2. Select Datadog as the SIEM Provider.

    Set Datadog as the SIEM in EZCA

  3. Input the values that you copied from the Datadog portals. Then, click Test Connection. This will create a test log in your Datadog SIEM (please allow a few minutes for the log to show up in the Datadog portal).

    Datadog Paste Values and Test Connection

  4. If the connection test is successful, click Save changes

    EZCA Settings Save Changes

  5. EZCA will now send your security alerts to your SIEM. If an error occurs it will email your subscription administrators. See below to see the different events EZCA will send.

How To Create Alerts in Datadog to Monitor Your Cloud PKI Activity

We recommend setting up alerts for any high criticality event, and closely monitor medium and low events. Here are some example queries to get you started:

Certificate Request Denied (Event ID 4888)

Certificate request denied is an event that is created when a user requests a certificate that they do not have permission to request. It is important to alert on this event since it can be an attacker attempting to escalate privileges by requesting a certificate.

service:EZCA @EventID:4888

CA Permission Changed (Event ID 4882)

CA Permission Changed is an event that is created when a user changes the security permissions for a CA. This event should be monitored since it is a low frequency high impact action that could indicate a compromise to your PKI administrator’s accounts.

service:EZCA @EventID:4882

CA Changes Denied (Event ID 92)

CA Permission Denied is an event that is created when a user attempts to change the security permissions for a CA without having the proper security permissions. It is important to alert on this event since it can be an attacker attempting to escalate privileges by changing the security configuration of your certificate authority.

service:EZCA @EventID:92

Deleted CA (Event ID 19)

CA Deleted is an event that is created when a user deletes a CA. This event should be monitored since it is a low frequency high impact action that could indicate a compromise to your PKI administrator’s accounts.

service:EZCA @EventID:19

What Logs are Sent to Datadog?

EZCA sends the following log types to your SIEM:

CA Operation Events

Event ID Event Summary Description Potential Criticality
4882 The security permissions for Certificate Services changed A change in CA settings that might give or remove critical permissions High
92 CA change denied due to insufficient permissions A user attempted to change CA settings without the proper permissions High
23 Intermediate CA request rejected A new Intermediate CA request has been rejected High
19 CA deleted This indicates that a CA was deleted High
28 Intermediate CA was imported A new Intermediate CA has been created chaining to an external CA Medium
22 Intermediate CA created with EZCA Root A new Intermediate CA has been created chaining to an EZCA CA Medium
12 CA was renewed A CA has been renewed Low

Certificate Operation Events

Event ID Event Summary Description Potential Criticality
4888 Certificate request denied due to insufficient permissions A user attempted to request a certificate without the proper permissions High
4870 A certificate has been revoked This can cause an outage if was done by mistake or the new certificate is not added to all the endpoints that use the certificate Medium
4872 Publish CRL This is an even that the CRL has been published, this does not have to be tracked as we take care of it for you. Low
4887 Certificate was created This event indicates a certificate was created successfully Low