How-To: Export EZSSH Logs to Datadog

Learn how to monitor your SSH access requests by sending all security logs to your Datadog SIEM provider.

Prerequisites

  1. Registering the application in your tenant
  2. Selecting a Plan

How To Export Your EZSSH Audit Logs To Datadog

How To Enable Log Export in EZSSH Portal

  1. Go to the EZSSH Portal.

  2. Click on Settings.

    EZSSH Settings

  3. Expand your subscription’s Advanced Settings.

    EZSSH Subscription Advanced Settings

  4. Enable the Send Audit Logs to SIEM option.

    EZSSH Send Audit Logs to SIEM checkbox

How To Configure the Datadog Exporter in the Datadog Portal

  1. In another tab, go to the Datadog Logs API docs: Datadog Docs.

  2. Look on the top right and check that you have the correct Datadog site selected.

    Getting HTTP endpoint from Datadog Docs

  3. Select the correct site, then copy the corresponding URL.

    Finding HTTP endpoint from Datadog Docs

  4. Now go to your Datadog Instance. Here you will find your personal settings.

    Datadog account menu and user settings

  5. Hover over your username and click the API Keys option.

    Datadog API keys tab in user settings

  6. Then click the + New Key button

    Datadog API keys page with + New Key button

  7. Give your key a name and click on the Create Key button

    Datadog dialog to name and create a new API key

  8. Copy your key and hit the Finish button.

    Datadog screen showing newly created API key ready to copy

How To Configure the Datadog SIEM in EZSSH Portal

  1. Now go back to the EZSSH Portal.

  2. Select Datadog as the SIEM Provider.

    Set Datadog as the SIEM in EZSSH

  3. Input the values that you copied from the Datadog portal. Then, click Test Connection. This will create a test log in your Datadog SIEM (please allow a few minutes for the log to show up in the Datadog portal).

    Datadog Paste Values and Test Connection

  4. If the connection test is successful, click Save Changes.

    EZSSH Settings Save Changes

  5. EZSSH will now send your security alerts to your SIEM. If an error occurs it will email your subscription administrators. See below to see the different events EZSSH will send.

How To Create Alerts in Datadog to Monitor Your SSH Activity

We recommend setting up alerts for any high criticality event, and closely monitor medium and low events. Here are some example queries to get you started:

Detect if a User Is Reusing SSH Keys

To detect any user that has reused an SSH key, use the group by setting to group the following log by @UserPublicKey. Set an alert if there is more than 1 instances of the log below:

service:EZSSH @event_type:EZSSH_SSH

Get All SSH Requests that Granted an SSH Certificate

To get all the requests that created an SSH certificate, run the following query:

service:EZSSH @event_type:EZSSH_SSH -@ActionPerformed:"Test Connection" -@Certificate:NA

This query can be then used to correlate with SSH logins to verify that all logins are done with an EZSSH certificate.

Get the Count of Git Certificates Requested by User

To get the number of git certificates a user has requested, run the following query and use the group by setting to group by @RequestorFriendlyName

service:EZSSH @event_type:EZSSH_SSH

This query is useful to find anomalies on a user requesting a higher number of certificates than usual.