How to Send your PKI Logs to your SIEM
Prerequisites
Introduction - How to Send your PKI Logs to your SIEM
EZCA enables your security team to monitor critical user actions by pushing the information to your SIEM. If your SIEM provider is not currently supported email your Keytos contact and request a connector for that specific provider.
Video Version - How to Send your PKI Logs to your SIEM
How To Connect Your PKI To Azure Sentinel
- Go to the EZCA Portal.
- Click on Settings.
- Expand your subscription’s advanced settings.
- Enable the “Send Audit Logs” to SIEM option.
- Select Sentinel as the SIEM Provider.
- In another tab, go to the Azure Portal
- Select the log analytics connected to your Sentinel instance.
- Click on “Agents Management”.
- Copy Your Workspace ID.
- Go back to the EZCA tab and paste it in the “Workspace ID” field.
- Go back to the Azure tab and copy the primary key.
- Go back to the EZCA tab and paste the key in the “Workspace Key” field.
- Click the “Test Connection” button, this will create a test log in your SIEM to make sure EZCA can write to the EZCA.
- If the connection test is successful, click “Save changes”.
- EZCA will now send your security logs to your SIEM. If an error occurs it will email your subscription PKI administrators.
How To Connect Your PKI To CrowdStrike Falcon LogScale
- Go to the EZCA Portal.
- Click on Settings.
- Expand your subscription’s advanced settings.
- Enable the “Send Audit Logs” to SIEM option.
- Select CrowdStrike Falcon LogScale as the SIEM Provider.
- In another tab, go to your CrowdStrike Falcon LogScale instance.
- Click on the Settings tab.
- Select the “Ingest Tokens” menu.
- Click on the “Add Token” button.
- Enter the token name
- Assign the json parser and click “Create”.
- Copy the token and the ingest host name.
- Go back to the EZCA tab.
- Paste the ingest host name in the “Ingestion Endpoint” field.
- Paste the token in the “Ingestion Token” field.
- Click the “Test Connection” button, this will create a test log in your SIEM to make sure EZCA can write to the SIEM.
- If the connection test is successful, click “Save changes”.
How To Connect Your Cloud PKI To Splunk
- Go to the EZCA Portal.
- Click on Settings.
- Expand your subscription’s advanced settings.
- Enable the “Send Audit Logs” to SIEM option.
- Select Splunk as the SIEM Provider.
- In another tab, go to your Splunk instance.
- Go to data inputs by clicking on the settings menu.
- Add a new Http Event Collector.
- Enter Keytos as the Name click next.
- Leave input settings with the default values and click next.
- Click Submit.
- Copy the splunk token we just created. Note this is a credential so do not share it publicly.
- Now let’s go back to the EZCA portal and copy the url of your splunk instance and the token we just created.
- Click the “Test Connection” button, this will create a test log in your SIEM to make sure EZCA can write to the SIEM.
- If the connection test is successful, click “Save changes”.
- EZCA will now send your security alerts to your SIEM. If an error occurs it will email your subscription administrators. See below to see the different events EZCA will send.
Cloud PKI SIEM Events
CA Operation Events
| Event ID | Event Summary | Description | Potential Criticality |
|---|---|---|---|
| 4882 | The security permissions for Certificate Services changed | A change in CA settings that might give or remove critical permissions | High |
| 92 | CA change denied due to insufficient permissions | A user attempted to change CA settings without the proper permissions | High |
| 23 | Intermediate CA request rejected | A new Intermediate CA request has been rejected | High |
| 19 | CA deleted | This indicates that a CA was deleted | High |
| 28 | Intermediate CA was imported | A new Intermediate CA has been created chaining to an external CA | Medium |
| 22 | Intermediate CA created with EZCA Root | A new Intermediate CA has been created chaining to an EZCA CA | Medium |
| 12 | CA was renewed | A CA has been renewed | Low |
Certificate Operation Events
| Event ID | Event Summary | Description | Potential Criticality |
|---|---|---|---|
| 4888 | Certificate request denied due to insufficient permissions | A user attempted to request a certificate without the proper permissions | High |
| 4870 | A certificate has been revoked | This can cause an outage if was done by mistake or the new certificate is not added to all the endpoints that use the certificate | Medium |
| 4887 | Certificate was created | This event indicates a certificate was created successfully | Low |
How To Create Alerts in SIEM to Monitor Your PKI
Using Azure Sentinel enables you to create alerts for critical operations or abnormal behavior. We recommend setting up alerts for any high criticality event, and closely monitor medium and low events. Below are sample queries that can be used to create alerts.
How To Detect Certificate Request Denied
Certificate request denied is an event that is created when a user requests a certificate that they do not have permission to request. It is important to alert on this event since it can be an attacker attempting to escalate privileges by requesting a certificate. Below is a sample query to retrieve this specific event:
Azure Sentinel
EZCA_Certificates_CL | where EventID_d == 4888CrowdStrike Falcon LogScale
LogType = "EZCA_Certificates" and EventID = 4888Splunk
index=your_index sourcetype="EZCA_Certificates" EventID=4888How To Detect CA Permissions Changed
CA Permission Changed is an event that is created when a user changes the security permissions for a CA. This event should be monitored since it is a low frequency high impact action that could indicate a compromise to your PKI administrator’s accounts. Below is a sample query to retrieve this specific event:
Azure Sentinel
EZCA_CAs_CL | where EventID_d == 4882CrowdStrike Falcon LogScale
LogType = "EZCA_CAs" and EventID = 4882Splunk
index=your_index sourcetype="EZCA_CAs" EventID=4882How To Detect CA Changes Denied
CA Permission Denied is an event that is created when a user attempts to change the security permissions for a CA without having the proper security permissions. It is important to alert on this event since it can be an attacker attempting to escalate privileges by changing the security configuration of your certificate authority. Below is a sample query to retrieve this specific event:
Azure Sentinel
EZCA_CAs_CL | where EventID_d == 92CrowdStrike Falcon LogScale
LogType = "EZCA_CAs" and EventID = 92Splunk
index=your_index sourcetype="EZCA_CAs" EventID=92How To Detect a Deleted CA
CA Deleted is an event that is created when a user deletes a CA. This event should be monitored since it is a low frequency high impact action that could indicate a compromise to your PKI administrator’s accounts. Below is a sample query to retrieve this specific event:
Azure Sentinel
EZCA_CAs_CL | where EventID_d == 19CrowdStrike Falcon LogScale
LogType = "EZCA_CAs" and EventID = 19Splunk
index=your_index sourcetype="EZCA_CAs" EventID=19