EZSSH enables your security team to monitor access granted through EZSSH by pushing the information to your SIEM. If your SIEM provider is not currently supported email your Keytos contact and request a connector for that specific provider.
Using Azure Sentinel enables you to create alerts for abnormal behavior. This section will show you a sample of an alert you can set to detect misuse of EZSSH.
EZSSH_GIT_CL | summarize Count=count() by UserPublicKey_s | where Count > 1
EZSSH uses custom tables to store the data in Azure log analytics. Below are some sample queries that should help you get started with exploring the EZSSH data.
To get all the requests that created an SSH certificate, run the following Query:
EZSSH_SSH_CL | where ActionPerformed_s != "Test Connection" and isempty(Certificate_s) == false
This query can be then used to correlate with SSH logins to verify that all logins are done with an EZSSH certificate.
To get the number of Git certificate a user has requested, run the following query:
EZSSH_GIT_CL | summarize Count=count() by Date=format_datetime(RequestDate_t, 'd-M-yyyy '), RequestorFriendlyName_s
This query is useful to find anomalies on a user requesting a higher number of certificates than usual.