Audit Active Directory Certificate Services using Azure Sentinel
This blog post shows you how to enable and configure Active Directory Certificate Services auditing.
What do you need?
- Log Analytics workspace
- Azure Sentinel
- Azure Arc
You may be wondering why do I need Azure Arc for ADCS auditing? In this case, I assume that you don’t forward all the security events using Azure Security Center or Azure Sentinel to Azure Sentinel. If you enable Azure Security Center or Security Events connector in Sentinel, then you have 4 different configuration options:
If you are using Common events, then it only takes 150 different events from the security log. If it comes down to the ADCS service, then different ADCS event IDs are not included in that configuration. Of course, you can set your Security Events connector or Azure Security Center to forward all logs, but I don’t want to do that. Azure Arc and the Azure Monitoring Agent allow me to define my own Data Collector Rules and collect the events I need.
If you are already sending all the Security logs to Azure Sentinel, you don’t need to deploy Azure Arc.
The first step is to make sure that auditing is enabled on your ADCS servers.
Run the auditpol command and ensure that “Certificate Services” and “Registry” advanced auditing are enabled.
- auditpol /get /category:*
You can configure advanced auditing settings using the auditpol /set command or through Group Policy.
- auditpol /set /subcategory:”Certification Services” /success:enable /failure:enable
- Group Policy settings for ADCS servers
The next step is to enable auditing through the ADCS snap-in. To do that, follow the steps on your ADCS server:
- Open Server Manager
- Select Tools -> Certification Authority
- Right-click your CA name and choose properties
- Select Auditing
- Enable the auditing settings you need
- Back up and restore the CA database
- Change CA configuration
- Change CA security settings
- Issue and manage certificate requests
- Revoke certificates and publish CRLs
- Store and retrieve archived keys
- Start and stop ADCS service
The next step is to enable the certificate template changes using the certutil command:
- certutil –setreg policy\EditFlags +EDITF_AUDITCERTTEMPLATELOAD
Because some changes can be done directly through the registry, we need to enable registry auditing. To do that, we need to do this:
- Open Regedit on your ADCS server
- Browse the following key
- Right-click Configuration and choose Permissions
- Click Advanced
- Choose Auditing and click Add
- Set the principal to Authenticated Users and configure the following permissions
- Set Value
- Create SubKey
- Write DAC
- Write Owner
- Read Control
Reboot your server and verify the changes. After the reboot, you should see different event IDs in your Security logs.
Now that we have the ADCS auditing up and running, we can continue with the Azure Arc and Sentinel.
Azure Arc configuration
For Azure Arc configuration, follow this guide – Connect hybrid machine with Azure Arc enabled servers – Azure Arc | Microsoft Docs
After that install the Azure Monitor Agent extension- Install the Azure Monitor agent – Azure Monitor | Microsoft Docs
Now that you have Azure Arc up and running, we can continue with the Data Collection Rules. In Azure Sentinel, we have a new connector called Windows Security Events (Preview). This connector allows us to define custom log policies for Azure Arc-enabled servers. In the Data Collector Rules, you need to specify the XPATH queries.
You can test your XPATH queries using the Get-WinEvent PowerShell cmdlet.
To collect the ADCS auditing logs to Azure Sentinel, we need to do this:
- Open Azure Sentinel
- Select Data Connectors and choose Windows Security Events (Preview)
- Click +Add data collection rule
- On the Create Data Collection Rule page, fill out the following information:
- Rule Name: Collect-ADCS-Security-Events
- Resource Group
- Click Next
- On the Resources page, choose your ADCS servers
- Click Next
- On the Collect page, specify your XPATH queries, for example
- Security!*[System[(EventID=4882 or EventID=4899)]]
- There are many more these events
- Click Add and Next
- On the Review + create page, Create
Now we have connected Azure Sentinel with ADCS servers. Soon, you should see the ADCS logs in your Azure Sentinel workspace, and you can start building custom analytics rules.
As a bonus, we made a separate Excel spreadsheet about different Event Log IDs.
You can download it from here – Azure-Sentinel/ADCS-EventLogs.xlsx at main · Kaidja/Azure-Sentinel (github.com)