How-To: Export EZSSH Logs to CloudWatch

Prerequisites

1. Registering the application in your tenant
2. Selecting a Plan

How To Export Your EZSSH Audit Logs To CloudWatch

How To Enable Log Export in EZSSH Portal

1. Go to the EZSSH Portal.

2. Click on Settings.

   

3. Expand your subscription’s Advanced Settings.

   

4. Enable the Send Audit Logs to SIEM option.

   

How To Configure the CloudWatch Exporter in the CloudWatch Portal

1. Open your CloudWatch Portal in a new browser tab.

2. In the top right corner, locate your AWS Region and make a note of it.

   

3. From the left-hand menu, under Setup, click on Settings.

   

4. Go to the Logs tab. In the API Keys section, click Create.

   

5. Choose your preferred API key expiration, then click Generate.

   

6. After the key is generated, copy and save it immediately. You will not be able to view it again after leaving this page.

   

7. Navigate to Log Management under Logs in the left-hand menu. Select the Log Group where you want to deliver your logs.

   

8. Click the Actions dropdown, then select Edit bearer token authentication.

   

9. When prompted, enable bearer token authentication by selecting Yes.

   

10. Confirm that bearer token authentication is enabled.

    

11. Identify and note the log stream where you want your logs delivered.

    

How To Configure the CloudWatch SIEM in EZSSH Portal

1. Now go back to the EZSSH Portal.

2. Select CloudWatch as the SIEM Provider.

   

3. Input the values that you copied from the CloudWatch portal. Then, click Test Connection. This will create a test log in your CloudWatch SIEM (please allow a few minutes for the log to show up in the CloudWatch portal).

   

4. If the connection test is successful, click Save Changes.

   

5. EZSSH will now send your security alerts to your SIEM. If an error occurs it will email your subscription administrators. See below to see the different events EZSSH will send.

How To Create Alerts in CloudWatch to Monitor Your SSH Activity

We recommend setting up alerts for any high criticality event, and closely monitor medium and low events. To setup alerts in CloudWatch go to Actions -> Create metric filter within your log group. Here are some example filters to get you started:

Detect if a User Is Reusing SSH Keys

To detect any user that has reused an SSH key, set an alert if there are repeat instances of the UserPublicKey field:

fields event.UserPublicKey
| filter source = "EZSSH"
| stats count() as usageCount by event.UserPublicKey
| filter usageCount > 1

Get All SSH Requests that Granted an SSH Certificate

To get all the requests that created an SSH certificate, run the following query:

{ $.source = "EZSSH" && $.sourcetype = "EZSSH_SSH" && $.event.ActionPerformed != "Test Connection" && $.event.Certificate != "NA" }

This query can be then used to correlate with SSH logins to verify that all logins are done with an EZSSH certificate.

Get the Count of Git Certificates Requested by User

To get the number of git certificates a user has requested, run the following query

fields event.RequestorFriendlyName
| filter source = "EZSSH" and sourcetype = "EZSSH_SSH"
| stats count() as certRequests by event.RequestorFriendlyName
| sort certRequests desc

This query is useful to find anomalies on a user requesting a higher number of certificates than usual.