How to Send your PKI Logs to your SIEM

Prerequisites

  1. Registering the application in your tenant
  2. Selecting a Plan

Introduction - How to Send your PKI Logs to your SIEM

EZCA enables your security team to monitor critical user actions by pushing the information to your SIEM. If your SIEM provider is not currently supported email your Keytos contact and request a connector for that specific provider.

Video Version - How to Send your PKI Logs to your SIEM

How To Connect Your PKI To Azure Sentinel

  1. Go to the EZCA Portal.
  2. Click on Settings. EZCA Settings
  3. Expand your subscription’s advanced settings. EZCA Settings
  4. Enable the “Send Audit Logs” to SIEM option. Azure PKI send longs to Sentinel
  5. Select Sentinel as the SIEM Provider. Set Sentinel as the SIEM in EZCA
  6. In another tab, go to the Azure Portal
  7. Select the log analytics connected to your Sentinel instance.
  8. Click on “Agents Management”. Azure Log Analytics for Sentinel
  9. Copy Your Workspace ID. Azure Log Analytics for Sentinel
  10. Go back to the EZCA tab and paste it in the “Workspace ID” field. EZCA Settings
  11. Go back to the Azure tab and copy the primary key. Get Primary Key for Azure Log Analytics
  12. Go back to the EZCA tab and paste the key in the “Workspace Key” field. EZCA Settings
  13. Click the “Test Connection” button, this will create a test log in your SIEM to make sure EZCA can write to the EZCA. EZCA Settings
  14. If the connection test is successful, click “Save changes”. EZCA Settings
  15. EZCA will now send your security logs to your SIEM. If an error occurs it will email your subscription PKI administrators.

How To Connect Your PKI To CrowdStrike Falcon LogScale

  1. Go to the EZCA Portal.
  2. Click on Settings. EZCA Settings
  3. Expand your subscription’s advanced settings. EZCA Settings
  4. Enable the “Send Audit Logs” to SIEM option. Azure PKI send longs to Sentinel
  5. Select CrowdStrike Falcon LogScale as the SIEM Provider. Set CrowdStrike Falcon LogScale as the SIEM in EZCA
  6. In another tab, go to your CrowdStrike Falcon LogScale instance.
  7. Click on the Settings tab.
  8. Select the “Ingest Tokens” menu.
  9. Click on the “Add Token” button. CrowdStrike Falcon LogScale Tokens
  10. Enter the token name
  11. Assign the json parser and click “Create”. CrowdStrike Falcon LogScale Token for your cloud PKI
  12. Copy the token and the ingest host name. CrowdStrike Falcon LogScale Token for your cloud PKI
  13. Go back to the EZCA tab.
  14. Paste the ingest host name in the “Ingestion Endpoint” field.
  15. Paste the token in the “Ingestion Token” field.
  16. Click the “Test Connection” button, this will create a test log in your SIEM to make sure EZCA can write to the EZCA. EZCA Settings
  17. If the connection test is successful, click “Save changes”. EZCA Settings

SIEM Events

CA Operation Events

Event ID Event Summary Description Potential Criticality
4882 The security permissions for Certificate Services changed A change in CA settings that might give or remove critical permissions High
92 CA change denied due to insufficient permissions A user attempted to change CA settings without the proper permissions High
23 Intermediate CA request rejected A new Intermediate CA request has been rejected High
19 CA deleted This indicates that a CA was deleted High
28 Intermediate CA was imported A new Intermediate CA has been created chaining to an external CA Medium
22 Intermediate CA created with EZCA Root A new Intermediate CA has been created chaining to an EZCA CA Medium
12 CA was renewed A CA has been renewed Low

Certificate Operation Events

Event ID Event Summary Description Potential Criticality
4888 Certificate request denied due to insufficient permissions A user attempted to request a certificate without the proper permissions High
4870 A certificate has been revoked This can cause an outage if was done by mistake or the new certificate is not added to all the endpoints that use the certificate Medium
4887 Certificate was created This event indicates a certificate was created successfully Low

How To Create Alerts in SIEM to Monitor Your PKI

Using Azure Sentinel enables you to create alerts for critical operations or abnormal behavior. We recommend setting up alerts for any high criticality event, and closely monitor medium and low events. Below are sample queries that can be used to create alerts.

How To Detect Certificate Request Denied

Certificate request denied is an event that is created when a user requests a certificate that they do not have permission to request. It is important to alert on this event since it can be an attacker attempting to escalate privileges by requesting a certificate. Below is a sample query to retrieve this specific event:

Azure Sentinel
EZCA_Certificates_CL | where  EventID_d == 4888
CrowdStrike Falcon LogScale
LogType = "EZCA_Certificates" and EventID = 4888

How To Detect CA Permissions Changed

CA Permission Changed is an event that is created when a user changes the security permissions for a CA. This event should be monitored since it is a low frequency high impact action that could indicate a compromise to your PKI administrator’s accounts. Below is a sample query to retrieve this specific event:

Azure Sentinel
EZCA_CAs_CL | where EventID_d == 4882
CrowdStrike Falcon LogScale
LogType = "EZCA_CAs" and EventID = 4882

How To Detect CA Changes Denied

CA Permission Denied is an event that is created when a user attempts to change the security permissions for a CA without having the proper security permissions. It is important to alert on this event since it can be an attacker attempting to escalate privileges by changing the security configuration of your certificate authority. Below is a sample query to retrieve this specific event:

Azure Sentinel
EZCA_CAs_CL | where EventID_d == 92
CrowdStrike Falcon LogScale
LogType = "EZCA_CAs" and EventID = 92

How To Detect a Deleted CA

CA Deleted is an event that is created when a user deletes a CA. This event should be monitored since it is a low frequency high impact action that could indicate a compromise to your PKI administrator’s accounts. Below is a sample query to retrieve this specific event:

Azure Sentinel
EZCA_CAs_CL | where EventID_d == 19
CrowdStrike Falcon LogScale
LogType = "EZCA_CAs" and EventID = 19