How-To: Export your EZMonitor SSL Monitoring Logs to Azure Log Analytics and Azure Sentinel

EZMonitor enables your security team to monitor critical user actions and SSL alerts by pushing the information to your SIEM. In this page we will show you how to connect your SSL Monitoring logs to Azure Log Analytics and Azure Sentinel.

Do I Need Azure Sentinel?

This guide applies to both Azure Log Analytics and Azure Sentinel since Sentinel is built on top of Log Analytics. Azure Sentinel is not required if you only want to collect and analyze logs, but it provides additional security features if you choose to use it.

Prerequisites

The Keytos Entra ID application is registered in your tenant
You have an active EZCA plan
You are an Owner or User Access Administrator on the Resource Group containing your Log Analytics workspace.

How to Grant Log Contributor Permissions to the EZMonitor Application in Azure

To allow EZMonitor to send logs to your Log Analytics and Azure Sentinel workspace, you need to grant the Keytos application the following roles on the Resource Group containing your Log Analytics workspace:

This can be done manually in the Azure Portal or using the Azure CLI.

How to Grant Permissions using the Azure Portal

It’s easy to enable the required permissions using the Azure Portal:

Navigate to the Azure Portal.
Open the Log Analytics Workspace you want to connect to EZMonitor. If you are using Azure Sentinel, open the Log Analytics workspace connected to your Sentinel instance.
Click on Resource group to open the Resource Group containing your Log Analytics workspace.
Click Access control (IAM) in the left menu.
Click + Add and Add role assignment.
Search for Monitoring Contributor in the list of Azure roles. Select the role and click Next.
Click + Select members and search for Keytos. Select the Keytos application.
Click Review + assign twice to grant the role to the Keytos application.
Repeat steps 1-8 for the Monitoring Metrics Publisher and Log Analytics Contributor roles.

How to Grant Permissions using the Azure CLI

The Azure CLI can also be used to enable the required permissions. Follow these steps:

Open a terminal window on your device or navigate to the Azure Portal and open Azure Cloud Shell.

Begin by getting the object ID of the service principal for the Keytos application in your tenant:

$objectId = az ad sp list --filter "appId eq '68554b48-233f-42b4-9aa7-2eadca4d7727'" --query "[].{id:id}" --output tsv

Copy the Resource ID of the Resource Group containing your Log Analytics workspace. This can be found by going to the Resource Group in Azure, selecting Properties, and copying the Resource ID.

Save the Resource ID as a variable for easier use:

$resourceGroupId = "/subscriptions/<YOUR-SUBSCRIPTION-ID>/resourceGroups/<YOUR-RESOURCE-GROUP-NAME>"

Grant the Monitoring Contributor role to the Keytos application:

az role assignment create --scope "$resourceGroupId" --role "Monitoring Contributor" --assignee $objectId

Grant the Monitoring Metrics Publisher role to the Keytos application:

az role assignment create --scope "$resourceGroupId" --role "Monitoring Metrics Publisher" --assignee $objectId

Grant the Log Analytics Contributor role to the Keytos application:

az role assignment create --scope "$resourceGroupId" --role "Log Analytics Contributor" --assignee $objectId

How to Export your SSL Monitoring Audit Logs to Log Analytics and Azure Sentinel

Now that you have granted the necessary permissions to the Keytos application, you can configure EZCA to send your CA management logs to your Log Analytics and Azure Sentinel workspace:

How To Enable Log Export in EZMonitor

Navigate to your EZCA portal.
Click on Settings.
Expand your subscription’s Advanced Settings.
Enable the Send Audit Logs to SIEM option.

How to Configure the Azure Sentinel Exporter in EZMonitor

Under SIEM Provider, select Sentinel.
In another tab, navigate to the Azure Portal.
Select the Log Analytics workspace connected to your Sentinel instance (or any Log Analytics workspace you want to use if you are not using Sentinel).
Click on Properties.
Copy the Resource ID.
Go back to the EZMonitor tab and paste the Resource ID into the Workspace Resource ID field.
Back in the Azure tab note the Location of the Log Analytics workspace.
In EZMonitor select the same location in the Location dropdown.
Click the Create Connection button. This will create the necessary connection in your Resource Group to communicate with Log Analytics, and send a test message to ensure proper connection.
Once the test succeeds, make sure to click Save changes to save your SIEM settings.
Done! EZMonitor will now send your security logs to your SIEM.

How To Create Alerts in Azure Sentinel to Monitor Your SSL Activity

Using Azure Sentinel enables you to create alerts and automation for critical operations or abnormal behavior. We recommend setting up alerts for all EZMonitor events. Below are sample queries that can be used to create alerts. The best way to separate each alert is by their Vulnerability ID, below is a query that will return all the dangle DNS entries that are vulnerable to domain takeover.

EZMonitor_Alerts_CL | where VulnerabilityID_d == 18

What Logs are Sent to Azure Sentinel?

EZMonitor has two types of alerts. The first type are alerts generated by scanning Certificate Transparency logs, and the second are alerts generated by scanning the SSL health of your servers.

Certificate Transparency Logs Based Alerts

Event ID	Event Summary	Description
12	A similar domain has been found.	A domain that might be impersonating your domain was found please verify this domain is not being used to impersonate your organization.
13	A similar domain with different Top Level Domain was found.	A domain that might be impersonating your organization by using a different top domain (for example yourcompany.co instead of yourcompany.com) please verify this domain is not being used to impersonate your organization.
18	Your domain is vulnerable to domain takeover.	Your DNS record is pointing to an Azure resource that is no longer being used. please remove the CNAME record pointing to this resource to avoid a bad actor taking over your sub domain.
20	The certificate was issued from a different Root CA.	A certificate was issued from a different Root CA, verify with your team to make sure this certificate was issued by someone in your organization.
25	A new sub domain was registered.	A new sub domain found, please verify with that this action was done by someone in your organization.
29	Certificate does not meet CAA policy.	A certificate was issued by a CA not allowed by your CAA policy.

Network Scan Based Alerts

Event ID	Event Summary	Description
19	The newest certificate is not installed in your server.	A certificate that is expiring soon has been renewed, but our systems detect that it has not been installed in all your web servers.
26	No subject alternative name matches the domain.	The certificate returned by the server does not have any subject names matching the domain, this can cause an error when the user is accessing the site.
27	The server did not serve a certificate when an HTTP request was sent	The server did not return a certificate. Please make sure HTTPS is enabled and the server has a valid certificate and the certificate is binded to this domain.
28	Certificate contains wild-card Subject Alternate Name	This Certificate contains a wild card subject alternate name. This type of subject alternate name can cause an outage since there is not record of where this certificate is being used. Please change this certificate to one containing the specific domains.
40	Error validating installed certificate.	The certificate served by the server was not valid. Please check the alert details on the steps needed to solve this issue.
41	Error validating installed certificate chain.	There was a problem validating the certificate chain of the certificate served by the server. Please follow the steps on the alert to remediate this issue.
42	HTTPS Is Not Enforced	Strict-Transport-Security header was not found. Please add this header to enforce HTTPS and prevent man in the middle attacks.
68	The certificate installed in the web server is expiring soon.	The certificate installed in the web server is expiring soon. Please install the latest certificate to avoid an outage
99	Certificate is expiring soon.	Your domain’s certificate is expiring soon, and it has not been renewed. Renew your certificate and replace the expiring certificate to avoid an outage

Internal Network Scan Based Alerts (Includes all Network Scan Alerts)

Event ID	Event Summary	Description
30	This Certificate Has Been Revoked	This Certificate has been revoked and will rejected by clients. Please create a new certificate and install it in this endpoint.
31	Self Signed Certificate	This Certificate is self signed, please issue a certificate from a trusted authority.
32	The CRL was not accessible when EZMonitor tried downloading it	EZMonitor was not able to download the CRL, make sure your CRL is available in your network
33	SHA1 Certificate	This certificate uses SHA1 hashing algorithm. This algorithm is no longer secure, please replace this certificate with a certificate using a stronger hashing algorithm.
34	Weak Cryptographic Key	This certificate uses a weak cryptographic algorithm. Please replace this certificate with a certificate using a stronger cryptographic key.
35	Current CRL is expired	EZMonitor downloaded an expired CRL, make sure your CRL is updated in all your CRL endpoints.
36	Certificate is Missing SID Extension	This certificate is missing the SID mapping and will not be accepted in Active Directory in future releases. learn more https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16
37	The certificate was not found in any of your servers	The certificate was found while scanning your PKI database, but it was not found in any of your web servers. Please make sure this certificate is not being used by any of your services.