How-To: Export EZSSH Logs to Azure Sentinel

EZSSH enables you to monitor your SSH access request by sending all security logs to your SIEM. Giving your security team a single plane of glass to see all your security events.

Prerequisites

  1. Registering the application in your tenant
  2. Selecting a Plan

Video Version

Introduction

EZSSH enables your security team to monitor access granted through EZSSH by pushing the information to your SIEM. If your SIEM provider is not currently supported email your Keytos contact and request a connector for that specific provider.

Connecting To Azure Sentinel

  1. Go to the EZSSH Portal.
  2. Click on Settings. EZSSH Agentless JIT Access portal dashboard with Settings option highlighted in left navigation menu
  3. Expand your subscription’s advanced settings. EZSSH Agentless JIT Access Settings page showing subscription details with Advance Settings dropdown collapsed
  4. Enable the “Send Audit Logs” to SIEM option. EZSSH Agentless JIT Access Advanced Settings with Send Audit Logs to SIEM checkbox highlighted and enabled
  5. Select Sentinel as the SIEM Provider. EZSSH Agentless JIT Access Advanced Settings with SIEM Provider dropdown set to Sentinel and Workspace ID fields shown
  6. In another tab, go to the Azure Portal
  7. Select the log analytics connected to your Sentinel instance.
  8. Click on “Agents Management”. Azure Log Analytics workspace Agents management page showing Workspace ID and primary key fields
  9. Copy Your Workspace ID. Azure Log Analytics Agents management page with Workspace ID field highlighted for copying
  10. Go back to the EZSSH tab and paste it in the “Workspace ID” field. EZSSH Agentless JIT Access Advanced Settings with Workspace ID pasted into the Sentinel configuration field
  11. Go back to the Azure tab and copy the primary key. Azure Log Analytics Agents management page with Primary key field highlighted for copying
  12. Go back to the EZSSH tab and paste the key in the “Workspace Key” field. EZSSH Agentless JIT Access Advanced Settings with Workspace ID and Workspace Key fields filled in for Sentinel
  13. Click the “Test Connection” button, this will create a test log in your SIEM to make sure EZSSH can write to the SIEM. EZSSH Agentless JIT Access Advanced Settings with Test Connection button highlighted to verify Sentinel connectivity
  14. If the connection test is successful, click “Save changes”. EZSSH Agentless JIT Access Settings page with Save Changes button highlighted after successful Sentinel connection test
  15. EZSSH will now send your access logs to your SIEM. If an error occurs it will email your subscription owners.

Creating Alerts in Azure Sentinel

Using Azure Sentinel enables you to create alerts for abnormal behavior. This section will show you a sample of an alert you can set to detect misuse of EZSSH.

Creating an alert to detect if a user is re-using SSH Keys

  1. In your Azure Sentinel instance, go to Analytics.
  2. Click create in the top left.
  3. Select “Schedule Query”
  4. In the Alert Name enter “EZGIT Same Key”
  5. In the description “Alerts if a user reuses same key to access GitHub”
  6. Select the appropriate severity. Azure Sentinel Analytics rule wizard with EZGIT Same Key alert name and severity configured
  7. Enter the following Query: 
    EZSSH_GIT_CL  | summarize  Count=count() by UserPublicKey_s | where  Count > 1
  8. Select how often you want to check for this alert.
  9. Set the response you want the SIEM to perform. (We would recommend an email to the user copying the security team to learn more if this was an intended activity).
  10. Create the Alert.

Other Queries

EZSSH uses custom tables to store the data in Azure log analytics. Below are some sample queries that should help you get started with exploring the EZSSH data.

Get All SSH Requests that granted an SSH Certificate

To get all the requests that created an SSH certificate, run the following Query:

EZSSH_SSH_CL | where ActionPerformed_s != "Test Connection" and isempty(Certificate_s) == false

This query can be then used to correlate with SSH logins to verify that all logins are done with an EZSSH certificate.

Getting the count of Git Certificate requested by user

To get the number of Git certificate a user has requested, run the following query:

EZSSH_GIT_CL | summarize  Count=count()  by  Date=format_datetime(RequestDate_t, 'd-M-yyyy '), RequestorFriendlyName_s

This query is useful to find anomalies on a user requesting a higher number of certificates than usual.