How to Send your PKI Logs to your SIEM
Prerequisites
Introduction - How to Send your PKI Logs to your SIEM
EZCA enables your security team to monitor critical user actions by pushing the information to your SIEM. If your SIEM provider is not currently supported email your Keytos contact and request a connector for that specific provider.
Video Version - How to Send your PKI Logs to your SIEM
How To Connect Your PKI To Azure Sentinel
- Go to the EZCA Portal.
- Click on Settings.
- Expand your subscription’s advanced settings.
- Enable the “Send Audit Logs” to SIEM option.
- Select Sentinel as the SIEM Provider.
- In another tab, go to the Azure Portal
- Select the log analytics connected to your Sentinel instance.
- Click on “Agents Management”.
- Copy Your Workspace ID.
- Go back to the EZCA tab and paste it in the “Workspace ID” field.
- Go back to the Azure tab and copy the primary key.
- Go back to the EZCA tab and paste the key in the “Workspace Key” field.
- Click the “Test Connection” button, this will create a test log in your SIEM to make sure EZCA can write to the EZCA.
- If the connection test is successful, click “Save changes”.
- EZCA will now send your security logs to your SIEM. If an error occurs it will email your subscription PKI administrators.
How To Connect Your PKI To CrowdStrike Falcon LogScale
- Go to the EZCA Portal.
- Click on Settings.
- Expand your subscription’s advanced settings.
- Enable the “Send Audit Logs” to SIEM option.
- Select CrowdStrike Falcon LogScale as the SIEM Provider.
- In another tab, go to your CrowdStrike Falcon LogScale instance.
- Click on the Settings tab.
- Select the “Ingest Tokens” menu.
- Click on the “Add Token” button.
- Enter the token name
- Assign the json parser and click “Create”.
- Copy the token and the ingest host name.
- Go back to the EZCA tab.
- Paste the ingest host name in the “Ingestion Endpoint” field.
- Paste the token in the “Ingestion Token” field.
- Click the “Test Connection” button, this will create a test log in your SIEM to make sure EZCA can write to the SIEM.
- If the connection test is successful, click “Save changes”.
SIEM Events
CA Operation Events
| Event ID | Event Summary | Description | Potential Criticality |
|---|---|---|---|
| 4882 | The security permissions for Certificate Services changed | A change in CA settings that might give or remove critical permissions | High |
| 92 | CA change denied due to insufficient permissions | A user attempted to change CA settings without the proper permissions | High |
| 23 | Intermediate CA request rejected | A new Intermediate CA request has been rejected | High |
| 19 | CA deleted | This indicates that a CA was deleted | High |
| 28 | Intermediate CA was imported | A new Intermediate CA has been created chaining to an external CA | Medium |
| 22 | Intermediate CA created with EZCA Root | A new Intermediate CA has been created chaining to an EZCA CA | Medium |
| 12 | CA was renewed | A CA has been renewed | Low |
Certificate Operation Events
| Event ID | Event Summary | Description | Potential Criticality |
|---|---|---|---|
| 4888 | Certificate request denied due to insufficient permissions | A user attempted to request a certificate without the proper permissions | High |
| 4870 | A certificate has been revoked | This can cause an outage if was done by mistake or the new certificate is not added to all the endpoints that use the certificate | Medium |
| 4887 | Certificate was created | This event indicates a certificate was created successfully | Low |
How To Create Alerts in SIEM to Monitor Your PKI
Using Azure Sentinel enables you to create alerts for critical operations or abnormal behavior. We recommend setting up alerts for any high criticality event, and closely monitor medium and low events. Below are sample queries that can be used to create alerts.
How To Detect Certificate Request Denied
Certificate request denied is an event that is created when a user requests a certificate that they do not have permission to request. It is important to alert on this event since it can be an attacker attempting to escalate privileges by requesting a certificate. Below is a sample query to retrieve this specific event:
Azure Sentinel
EZCA_Certificates_CL | where EventID_d == 4888
CrowdStrike Falcon LogScale
LogType = "EZCA_Certificates" and EventID = 4888
How To Detect CA Permissions Changed
CA Permission Changed is an event that is created when a user changes the security permissions for a CA. This event should be monitored since it is a low frequency high impact action that could indicate a compromise to your PKI administrator’s accounts. Below is a sample query to retrieve this specific event:
Azure Sentinel
EZCA_CAs_CL | where EventID_d == 4882
CrowdStrike Falcon LogScale
LogType = "EZCA_CAs" and EventID = 4882
How To Detect CA Changes Denied
CA Permission Denied is an event that is created when a user attempts to change the security permissions for a CA without having the proper security permissions. It is important to alert on this event since it can be an attacker attempting to escalate privileges by changing the security configuration of your certificate authority. Below is a sample query to retrieve this specific event:
Azure Sentinel
EZCA_CAs_CL | where EventID_d == 92
CrowdStrike Falcon LogScale
LogType = "EZCA_CAs" and EventID = 92
How To Detect a Deleted CA
CA Deleted is an event that is created when a user deletes a CA. This event should be monitored since it is a low frequency high impact action that could indicate a compromise to your PKI administrator’s accounts. Below is a sample query to retrieve this specific event:
Azure Sentinel
EZCA_CAs_CL | where EventID_d == 19
CrowdStrike Falcon LogScale
LogType = "EZCA_CAs" and EventID = 19