How to Send your RADIUS Logs to your SIEM

Prerequisites

  1. Registering the application in your tenant
  2. Selecting a Plan

Introduction - How to Send your RADIUS Logs to your SIEM

EZRADIUS enables your security team to monitor critical user actions by pushing the information to your SIEM. If your SIEM provider is not currently supported email your Keytos contact and request a connector for that specific provider.

How To Connect Your RADIUS To Azure Sentinel

  1. Go to your EZRADIUS portal.
  2. Click on Settings. EZRADIUS Settings EZRADIUS Settings
  3. Scroll to the bottom and enable the “Send Audit Logs” to SIEM option. cloud radius send longs to Sentinel cloud radius send longs to Sentinel
  4. Select Sentinel as the SIEM Provider.
  5. In another tab, go to the Azure Portal
  6. Select the log analytics connected to your Sentinel instance.
  7. Click on “Agents Management”. Azure Log Analytics for Sentinel Azure Log Analytics for Sentinel
  8. Copy Your Workspace ID. Azure Log Analytics for Sentinel Azure Log Analytics for Sentinel
  9. Go back to the EZRADIUS tab and paste it in the “Workspace ID” field. EZRADIUS Settings EZRADIUS Settings
  10. Go back to the Azure tab and copy the primary key. Get Primary Key for Azure Log Analytics Get Primary Key for Azure Log Analytics
  11. Go back to the EZRADIUS tab and paste the key in the “Workspace Key” field. EZRADIUS Settings EZRADIUS Settings
  12. Click the “Test Connection” button, this will create a test log in your SIEM to make sure EZRADIUS can write to the SIEM.
  13. If the connection test is successful, click “Save changes” at the top of the subscription. EZRADIUS save RADIUS Settings EZRADIUS save RADIUS Settings
  14. EZRADIUS will now send your security logs to your SIEM. If an error occurs it will email your subscription PKI administrators. EZRADIUS will now send your security logs to your SIEM. If an error occurs it will email your subscription PKI administrators. Now you should check out how to create a dashboard for your RADIUS service

How To Connect Your RADIUS Service To CrowdStrike Falcon LogScale

  1. Go to your EZRADIUS portal.
  2. Click on Settings. EZRADIUS Settings EZRADIUS Settings
  3. Scroll to the bottom and enable the “Send Audit Logs” to SIEM option. cloud radius send longs to Sentinel cloud radius send longs to Sentinel
  4. Select CrowdStrike Falcon LogScale as the SIEM Provider. Set CrowdStrike Falcon LogScale as the SIEM in EZRADIUS Set CrowdStrike Falcon LogScale as the SIEM in EZRADIUS
  5. In another tab, go to your CrowdStrike Falcon LogScale instance.
  6. Click on the Settings tab.
  7. Select the “Ingest Tokens” menu.
  8. Click on the “Add Token” button. CrowdStrike Falcon LogScale Tokens CrowdStrike Falcon LogScale Tokens
  9. Enter the token name
  10. Assign the json parser and click “Create”. CrowdStrike Falcon LogScale Token for your cloud PKI CrowdStrike Falcon LogScale Token for your cloud PKI
  11. Copy the token and the ingest host name. CrowdStrike Falcon LogScale Token for your cloud PKI CrowdStrike Falcon LogScale Token for your cloud PKI
  12. Go back to the EZRADIUS tab.
  13. Paste the ingest host name in the “Ingestion Endpoint” field.
  14. Paste the token in the “Ingestion Token” field.
  15. Click the “Test Connection” button, this will create a test log in your SIEM to make sure EZRADIUS can write to the SIEM. EZRADIUS send radius to crowd strike Settings EZRADIUS send radius to crowd strike Settings
  16. If the connection test is successful, click “Save changes” at the top of the subscription. EZRADIUS save RADIUS Settings EZRADIUS save RADIUS Settings

How To Connect Your Cloud RADIUS To Splunk

  1. Go to your EZRADIUS portal.
  2. Click on Settings. EZRADIUS Settings EZRADIUS Settings
  3. Scroll to the bottom and enable the “Send Audit Logs” to SIEM option. cloud radius send longs to Sentinel cloud radius send longs to Sentinel
  4. Select Splunk as the SIEM Provider. Set Splunk as the SIEM in EZRADIUS Set Splunk as the SIEM in EZRADIUS
  5. In another tab, go to your Splunk instance.
  6. Go to data inputs by clicking on the settings menu. Splunk Data Inputs Splunk Data Inputs
  7. Add a new Http Event Collector. Splunk Data Inputs http event collector Splunk Data Inputs http event collector
  8. Enter Keytos as the Name click next.
  9. Leave input settings with the default values and click next.
  10. Click Submit. Create Splunk http input Create Splunk http input
  11. Copy the splunk token we just created. Note this is a credential so do not share it publicly. Splunk http token Splunk http token
  12. Now let’s go back to the EZRADIUS portal and copy the url of your splunk instance and the token we just created.
  13. Click the “Test Connection” button, this will create a test log in your SIEM to make sure EZRADIUS can write to the SIEM. test splunk connection for cloud PKI test splunk connection for cloud PKI
  14. If the connection test is successful, click “Save changes” at the top of the subscription. EZRADIUS save RADIUS Settings EZRADIUS save RADIUS Settings
  15. EZRADIUS will now send your security alerts to your SIEM. If an error occurs it will email your subscription administrators. See below to see the different events EZRADIUS will send.

SIEM Events

Administrator Events

Administrator events (found in the EZRadiusAdministrator table) are events triggered when the administrator performs an action on the subscription such as adding users, removing users, or changing the subscription settings. These events are important to monitor since they can indicate a compromise to the subscription. Below are the events that are considered critical to monitor:

Action Event Summary Potential Criticality
NotAuthorized Someone attempted to perform an administrative a that they are not authorized to do. High
SubscriptionUpdated An administrator made changes to the subscription. Medium

Policy Events

When an administrator creates or modifies a policy, an event is triggered in the EZRadiusPolicy table. These events are important to monitor since they can indicate a compromise to the subscription.

Authentication Events

Every time a user authenticates to the RADIUS service, an event is triggered in the EZRadiusAuthentication table. You can monitor these events to detect abnormal behavior or unauthorized access to your network.

Accounting Events

In accordance with RFC2866 EZRADIUS records accounting information for each user session. You can monitor these events to detect abnormal behavior or unauthorized access to your network.

How To Create Alerts in SIEM to Monitor Your PKI

Using a SIEM enables you to create alerts for critical operations or abnormal behavior. We recommend setting up alerts for any high criticality event, and closely monitor medium and low events. Below are sample queries for the Administrator events.

Azure Sentinel
EZRadiusAdministrator_CL | where  Action_s == "NotAuthorized"
CrowdStrike Falcon LogScale
LogType = "EZRadiusAdministrator" and Action = "NotAuthorized"