5. Connecting to SIEM

Prerequisites

  1. Registering the application in your tenant
  2. Selecting a Plan

Introduction

EZCA enables your security team to monitor critical user actions by pushing the information to your SIEM. If your SIEM provider is not currently supported email your Keytos contact and request a connector for that specific provider.

Video Version

Connecting To Azure Sentinel

  1. Go to the EZCA Portal.
  2. Click on Settings. EZCA Settings
  3. Expand your subscription’s advanced settings. EZCA Settings
  4. Enable the “Send Audit Logs” to SIEM option. EZCA Settings
  5. Select Sentinel as the SIEM Provider. EZCA Settings
  6. In another tab, go to the Azure Portal
  7. Select the log analytics connected to your Sentinel instance.
  8. Click on “Agents Management”. Azure Log Analytics
  9. Copy Your Workspace ID. Azure Log Analytics
  10. Go back to the EZCA tab and paste it in the “Workspace ID” field. EZCA Settings
  11. Go back to the Azure tab and copy the primary key. Azure Log Analytics
  12. Go back to the EZCA tab and paste the key in the “Workspace Key” field. EZCA Settings
  13. Click the “Test Connection” button, this will create a test log in your SIEM to make sure EZCA can write to the EZCA. EZCA Settings
  14. If the connection test is successful, click “Save changes”. EZCA Settings
  15. EZCA will now send your security logs to your SIEM. If an error occurs it will email your subscription PKI administrators.

SIEM Events

CA Operation Events

Event IDEvent SummaryDescriptionPotential Criticality
4882The security permissions for Certificate Services changedA change in CA settings that might give or remove critical permissionsHigh
92CA change denied due to insufficient permissionsA user attempted to change CA settings without the proper permissionsHigh
19CA deletedThis indicates that a CA was deletedHigh
28Intermediate CA was importedA new Intermediate CA has been created chaining to an external CAMedium
22Intermediate CA created with EZCA RootA new Intermediate CA has been created chaining to an EZCA CAMedium
12CA was renewedA CA has been renewedLow

Certificate Operation Events

Event IDEvent SummaryDescriptionPotential Criticality
4888Certificate request denied due to insufficient permissionsA user attempted to request a certificate without the proper permissionsHigh
4870A certificate has been revokedThis can cause an outage if was done by mistake or the new certificate is not added to all the endpoints that use the certificateMedium
4887Certificate was createdThis event indicates a certificate was created successfullyLow

Creating Alerts in Azure Sentinel

Using Azure Sentinel enables you to create alerts for critical operations or abnormal behavior. We recommend setting up alerts for any high criticality event, and closely monitor medium and low events. Below are sample queries that can be used to create alerts.

Certificate request denied

Certificate request denied is an event that is created when a user requests a certificate that they do not have permission to request. It is important to alert on this event since it can be an attacker attempting to escalate privileges by requesting a certificate. Below is a sample query to retrieve this specific event:

EZCA_Certificates_CL | where  EventID_d == 4888

CA Permissions Changed

CA Permission Changed is an event that is created when a user changes the security permissions for a CA. This event should be monitored since it is a low frequency high impact action that could indicate a compromise to your PKI administrator’s accounts. Below is a sample query to retrieve this specific event:

EZCA_CAs_CL | where EventID_d == 4882

CA Changes Denied

CA Permission Denied is an event that is created when a user attempts to change the security permissions for a CA without having the proper security permissions. It is important to alert on this event since it can be an attacker attempting to escalate privileges by changing the security configuration of your certificate authority. Below is a sample query to retrieve this specific event:

EZCA_CAs_CL | where EventID_d == 92

CA Deleted

CA Deleted is an event that is created when a user deletes a CA. This event should be monitored since it is a low frequency high impact action that could indicate a compromise to your PKI administrator’s accounts. Below is a sample query to retrieve this specific event:

EZCA_CAs_CL | where EventID_d == 19