What Changed
New Microsoft Sentinel solution for Utimaco Enterprise Secure Key Manager (ESKM) provides comprehensive monitoring of cryptographic key management operations and authentication events.
Data Source
Utimaco ESKM is an enterprise-grade Hardware Security Module (HSM) and key management platform supporting KMIP (Key Management Interoperability Protocol). This solution ingests:
- KMIP server operation logs (CREATE, GET, DESTROY, EXPORT, IMPORT)
- Authentication success/failure events
- Permission denied incidents
- Object lifecycle management activities
Ingestion Mechanism
CCF-based connector using RestApiPoller with time-based incremental data fetching and pagination support. Populates the custom table UtimacoESKMKmipServerLogs_CL in Microsoft Sentinel.
Detection Surface Unlocked
Critical visibility into enterprise cryptographic infrastructure enabling detection of:
- Cryptographic material theft and bulk key extraction
- Insider threats targeting encryption keys
- Ransomware-style key destruction campaigns
- Privilege escalation attempts against key stores
- Unauthorized applications accessing cryptographic material
Bundled Content
- 3 Analytic Rules: Authentication brute-force, permission denied bursts, mass key destruction
- 4 Hunting Queries: Rare users, new source IPs, high-volume key retrieval, after-hours activity
- 1 Workbook: Key metrics dashboard with operation outcomes, authentication trends, activity timeline
MITRE Coverage
Covers critical attack techniques including T1552 (Unsecured Credentials), T1485 (Data Destruction), T1110 (Brute Force), T1078 (Valid Accounts), T1133 (External Remote Services), T1087 (Account Discovery), and T1005 (Data from Local System).
Security Impact
Addresses a significant blind spot in enterprise security monitoring by providing visibility into cryptographic key lifecycle events - essential for detecting advanced persistent threats targeting encryption infrastructure.
Affected Files
.script/tests/KqlvalidationsTests/CustomTables/UtimacoESKMKmipServerLogs.json
.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
Logos/UtimacoLogoSVG.svg
Solutions/Utimaco Enterprise Secure Key Manager/.vscode/settings.json
Solutions/Utimaco Enterprise Secure Key Manager/Analytic Rules/UtimacoESKM_AuthFailureBruteForce.yaml
Solutions/Utimaco Enterprise Secure Key Manager/Analytic Rules/UtimacoESKM_DestroyBurst.yaml
Solutions/Utimaco Enterprise Secure Key Manager/Analytic Rules/UtimacoESKM_PermissionDeniedBurst.yaml
Solutions/Utimaco Enterprise Secure Key Manager/Data Connectors/sentinel-connectors/UtimacoESKM_CCF/UtimacoESKM_ArmTemplate.json
Solutions/Utimaco Enterprise Secure Key Manager/Data Connectors/sentinel-connectors/UtimacoESKM_CCF/UtimacoESKM_ConnectorDefinition.json
Solutions/Utimaco Enterprise Secure Key Manager/Data Connectors/sentinel-connectors/UtimacoESKM_CCF/UtimacoESKM_DCR.json
Solutions/Utimaco Enterprise Secure Key Manager/Data Connectors/sentinel-connectors/UtimacoESKM_CCF/UtimacoESKM_PollingConfig.json
Solutions/Utimaco Enterprise Secure Key Manager/Data Connectors/sentinel-connectors/UtimacoESKM_CCF/UtimacoESKM_Table.json
Solutions/Utimaco Enterprise Secure Key Manager/Hunting Queries/UtimacoESKM_AfterHoursActivity.yaml
Solutions/Utimaco Enterprise Secure Key Manager/Hunting Queries/UtimacoESKM_HighVolumeKeyRetrieval.yaml
Solutions/Utimaco Enterprise Secure Key Manager/Hunting Queries/UtimacoESKM_NewSourceIPs.yaml
Solutions/Utimaco Enterprise Secure Key Manager/Hunting Queries/UtimacoESKM_RareKmipUsers.yaml
Solutions/Utimaco Enterprise Secure Key Manager/Package/testParameters.json
Solutions/Utimaco Enterprise Secure Key Manager/README.md
Solutions/Utimaco Enterprise Secure Key Manager/Workbooks/ESKMworkbook.json
Workbooks/Images/Logos/UtimacoLogoSVG.svg
Workbooks/Images/Preview/UtimacoESKMBlack1.png
Workbooks/Images/Preview/UtimacoESKMBlack2.png
Workbooks/Images/Preview/UtimacoESKMWhite1.png
Workbooks/Images/Preview/UtimacoESKMWhite2.png
Workbooks/WorkbooksMetadata.json
(packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_ESKM.json, createUiDefinition.json, mainTemplate.json)