How-To: Export your Cloud PKI Logs to Splunk

Prerequisites

• The Keytos Entra ID application is registered in your tenant
• You have an active EZCA plan

How To Export Your Cloud PKI Audit Logs To Splunk

1. Go to the EZCA Portal.

2. Click on Settings.

   

3. Expand your subscription’s advanced settings.

   

4. Enable the Send Audit Logs to SIEM option.

   

5. Select Splunk as the SIEM Provider.

   

6. In another tab, go to your Splunk instance.

7. Go to Data inputs by clicking on the Settings menu.

   

8. Add a new Http Event Collector.

   

9. Enter “Keytos” as the Name click next.

10. Leave input settings with the default values and click Next.

11. Click Submit.

    

12. Copy the Splunk token we just created.

    

13. Now let’s go back to the EZCA portal and copy the url of your splunk instance and the token we just created.

14. Click the Test Connection"** button, this will create a test log in your SIEM to make sure EZCA can write to the SIEM.

    

15. If the connection test is successful, click Save changes

    

16. EZCA will now send your security alerts to your SIEM. If an error occurs it will email your subscription administrators. See below to see the different events EZCA will send.

How To Create Alerts in Splunk to Monitor Your Cloud PKI Activity

We recommend setting up alerts for any high criticality event, and closely monitor medium and low events. Here are some example queries to get you started:

Certificate Request Denied (Event ID 4888)

Certificate request denied is an event that is created when a user requests a certificate that they do not have permission to request. It is important to alert on this event since it can be an attacker attempting to escalate privileges by requesting a certificate.

index=your_index sourcetype="EZCA_Certificates" EventID=4888

CA Permission Changed (Event ID 4882)

CA Permission Changed is an event that is created when a user changes the security permissions for a CA. This event should be monitored since it is a low frequency high impact action that could indicate a compromise to your PKI administrator’s accounts.

index=your_index sourcetype="EZCA_CAs" EventID=4882

CA Changes Denied (Event ID 92)

CA Permission Denied is an event that is created when a user attempts to change the security permissions for a CA without having the proper security permissions. It is important to alert on this event since it can be an attacker attempting to escalate privileges by changing the security configuration of your certificate authority.

index=your_index sourcetype="EZCA_CAs" EventID=92

Deleted CA (Event ID 19)

CA Deleted is an event that is created when a user deletes a CA. This event should be monitored since it is a low frequency high impact action that could indicate a compromise to your PKI administrator’s accounts.

index=your_index sourcetype="EZCA_CAs" EventID=19

What Logs are Sent to Splunk?

EZCA sends the following log types to your SIEM:

CA Operation Events

Certificate Operation Events