How to Send your PKI Logs to your SIEM

Prerequisites

  1. Registering the application in your tenant
  2. Selecting a Plan

Introduction - How to Send your PKI Logs to your SIEM

EZCA enables your security team to monitor critical user actions by pushing the information to your SIEM. If your SIEM provider is not currently supported email your Keytos contact and request a connector for that specific provider.

Video Version - How to Send your PKI Logs to your SIEM

How To Connect Your PKI To Azure Sentinel

  1. Go to the EZCA Portal.
  2. Click on Settings. EZCA Settings
  3. Expand your subscription’s advanced settings. EZCA Settings
  4. Enable the “Send Audit Logs” to SIEM option. Azure PKI send longs to Sentinel
  5. Select Sentinel as the SIEM Provider. Set Sentinel as the SIEM in EZCA
  6. In another tab, go to the Azure Portal
  7. Select the log analytics connected to your Sentinel instance.
  8. Click on “Agents Management”. Azure Log Analytics for Sentinel
  9. Copy Your Workspace ID. Azure Log Analytics for Sentinel
  10. Go back to the EZCA tab and paste it in the “Workspace ID” field. EZCA Settings
  11. Go back to the Azure tab and copy the primary key. Get Primary Key for Azure Log Analytics
  12. Go back to the EZCA tab and paste the key in the “Workspace Key” field. EZCA Settings
  13. Click the “Test Connection” button, this will create a test log in your SIEM to make sure EZCA can write to the EZCA. EZCA Settings
  14. If the connection test is successful, click “Save changes”. EZCA Settings
  15. EZCA will now send your security logs to your SIEM. If an error occurs it will email your subscription PKI administrators.

SIEM Events

CA Operation Events

Event ID Event Summary Description Potential Criticality
4882 The security permissions for Certificate Services changed A change in CA settings that might give or remove critical permissions High
92 CA change denied due to insufficient permissions A user attempted to change CA settings without the proper permissions High
23 Intermediate CA request rejected A new Intermediate CA request has been rejected High
19 CA deleted This indicates that a CA was deleted High
28 Intermediate CA was imported A new Intermediate CA has been created chaining to an external CA Medium
22 Intermediate CA created with EZCA Root A new Intermediate CA has been created chaining to an EZCA CA Medium
12 CA was renewed A CA has been renewed Low

Certificate Operation Events

Event ID Event Summary Description Potential Criticality
4888 Certificate request denied due to insufficient permissions A user attempted to request a certificate without the proper permissions High
4870 A certificate has been revoked This can cause an outage if was done by mistake or the new certificate is not added to all the endpoints that use the certificate Medium
4887 Certificate was created This event indicates a certificate was created successfully Low

How To Create Alerts in Azure Sentinel to Monitor Your PKI

Using Azure Sentinel enables you to create alerts for critical operations or abnormal behavior. We recommend setting up alerts for any high criticality event, and closely monitor medium and low events. Below are sample queries that can be used to create alerts.

How To Detect Certificate Request Denied

Certificate request denied is an event that is created when a user requests a certificate that they do not have permission to request. It is important to alert on this event since it can be an attacker attempting to escalate privileges by requesting a certificate. Below is a sample query to retrieve this specific event:

EZCA_Certificates_CL | where  EventID_d == 4888

How To Detect CA Permissions Changed

CA Permission Changed is an event that is created when a user changes the security permissions for a CA. This event should be monitored since it is a low frequency high impact action that could indicate a compromise to your PKI administrator’s accounts. Below is a sample query to retrieve this specific event:

EZCA_CAs_CL | where EventID_d == 4882

How To Detect CA Changes Denied

CA Permission Denied is an event that is created when a user attempts to change the security permissions for a CA without having the proper security permissions. It is important to alert on this event since it can be an attacker attempting to escalate privileges by changing the security configuration of your certificate authority. Below is a sample query to retrieve this specific event:

EZCA_CAs_CL | where EventID_d == 92

How To Detect a Deleted CA

CA Deleted is an event that is created when a user deletes a CA. This event should be monitored since it is a low frequency high impact action that could indicate a compromise to your PKI administrator’s accounts. Below is a sample query to retrieve this specific event:

EZCA_CAs_CL | where EventID_d == 19