How-To: Export your Cloud PKI Logs to Huntress

EZCA enables your security team to monitor critical user actions by pushing the information to your SIEM. In this page we will show you how to connect your Cloud PKI logs to Huntress.

Prerequisites

How To Export Your Cloud PKI Audit Logs To Huntress

How To Enable Log Export in EZCA Portal

  1. Go to the EZCA Portal.

  2. Click on Settings.

    EZCA Settings

  3. Expand your subscription’s Advanced Settings.

    EZCA Subscription Advanced Settings

  4. Enable the Send Audit Logs to SIEM option.

    EZCA Send Audit Logs to SIEM checkbox

How To Configure the Huntress Exporter in the Huntress Portal

  1. In another tab, go to your Huntress instance.

  2. Click on the SIEM menu. Then, click Source Management.

    Huntress Source Management

  3. Click Add Source. Then, click Generic HEC (HTTP Event Collector).

    Huntress Source Management HTTP Event Collector

  4. Click + Add to add a new HEC.

    Huntress Configure Generic HEC Add HEC

  5. Add an Organization, Name, and optional Description. Then, click Save.

    Huntress Configure Generic HEC

  6. After the HEC is created, copy the HTTP Event Collector URL and the HTTP Event Collector Token.

    Huntress Generic HEC Details

How To Configure the Huntress SIEM in EZCA Portal

  1. Now go back to the EZCA Portal.

  2. Select Huntress as the SIEM Provider.

    Set Huntress as the SIEM in EZCA

  3. Input the values that you copied from the Huntress portal. Then, click Test Connection. This will create a test log in your Huntress SIEM (please allow a few minutes for the log to show up in the Huntress portal).

    Huntress Paste Values and Test Connection

  4. If the connection test is successful, click Save changes

    EZCA Settings Save Changes

  5. EZCA will now send your security alerts to your SIEM. If an error occurs it will email your subscription administrators. See below to see the different events EZCA will send.

How To Create Alerts in Huntress to Monitor Your Cloud PKI Activity

We recommend setting up alerts for any high criticality event, and closely monitor medium and low events. Here are some example queries to get you started:

Certificate Request Denied (Event ID 4888)

Certificate request denied is an event that is created when a user requests a certificate that they do not have permission to request. It is important to alert on this event since it can be an attacker attempting to escalate privileges by requesting a certificate.

from logs | where generic_hec.EventID == 4888

CA Permission Changed (Event ID 4882)

CA Permission Changed is an event that is created when a user changes the security permissions for a CA. This event should be monitored since it is a low frequency high impact action that could indicate a compromise to your PKI administrator’s accounts.

from logs | where generic_hec.EventID == 4882

CA Changes Denied (Event ID 92)

CA Permission Denied is an event that is created when a user attempts to change the security permissions for a CA without having the proper security permissions. It is important to alert on this event since it can be an attacker attempting to escalate privileges by changing the security configuration of your certificate authority.

from logs | where generic_hec.EventID == 92

Deleted CA (Event ID 19)

CA Deleted is an event that is created when a user deletes a CA. This event should be monitored since it is a low frequency high impact action that could indicate a compromise to your PKI administrator’s accounts.

from logs | where generic_hec.EventID == 19

What Logs are Sent to Huntress?

EZCA sends the following log types to your SIEM:

CA Operation Events

Event ID Event Summary Description Potential Criticality
4882 The security permissions for Certificate Services changed A change in CA settings that might give or remove critical permissions High
92 CA change denied due to insufficient permissions A user attempted to change CA settings without the proper permissions High
23 Intermediate CA request rejected A new Intermediate CA request has been rejected High
19 CA deleted This indicates that a CA was deleted High
28 Intermediate CA was imported A new Intermediate CA has been created chaining to an external CA Medium
22 Intermediate CA created with EZCA Root A new Intermediate CA has been created chaining to an EZCA CA Medium
12 CA was renewed A CA has been renewed Low

Certificate Operation Events

Event ID Event Summary Description Potential Criticality
4888 Certificate request denied due to insufficient permissions A user attempted to request a certificate without the proper permissions High
4870 A certificate has been revoked This can cause an outage if was done by mistake or the new certificate is not added to all the endpoints that use the certificate Medium
4872 Publish CRL This is an even that the CRL has been published, this does not have to be tracked as we take care of it for you. Low
4887 Certificate was created This event indicates a certificate was created successfully Low