-
Notifications
You must be signed in to change notification settings - Fork 1
Event Flow
This page describes the event-driven security pipeline that connects threat detection to automated certificate revocation. For details on the revocation process itself, see Certificate Revocation.
The lab implements a fully automated security response pipeline. When a Mock EDR or SIEM detects a security incident, it publishes an event to Kafka. Event-Driven Ansible (EDA) consumes the event and triggers the appropriate Ansible playbook to revoke the compromised certificate on the correct Dogtag PKI hierarchy -- all within a sub-60 second response window.
┌──────────────┐ ┌──────────────┐
│ Mock EDR │ │ Mock SIEM │
│ (FastAPI) │ │ (FastAPI) │
└──────┬───────┘ └──────┬───────┘
│ │
│ POST /events │ POST /events
▼ ▼
┌──────────────────────────────────┐
│ Apache Kafka │
│ Topic: security-events │
│ Group: eda-security-processor │
└──────────────┬───────────────────┘
│
│ Consume (offset: earliest)
▼
┌──────────────────────────────────┐
│ Event-Driven Ansible (EDA) │
│ Rulebook: security-events.yml │
│ 87 rules across 26 event types │
└──────────────┬───────────────────┘
│
│ run_playbook (via SSH bridge)
▼
┌──────────────────────────────────┐
│ Ansible Playbook │
│ dogtag-{rsa,ecc,pqc}-revoke- │
│ certificate.yml │
│ freeipa-revoke-certificate.yml │
└──────────────┬───────────────────┘
│
│ pki-cli.py / REST API
▼
┌──────────────────────────────────┐
│ Dogtag PKI CA │
│ Certificate Status → REVOKED │
│ CRL Regenerated │
└──────────────────────────────────┘
| Parameter | Value |
|---|---|
| Host | kafka.cert-lab.local |
| Port | 9092 |
| Topic | security-events |
| Group ID | eda-security-processor |
| Offset | earliest |
Events are published as JSON messages to the security-events topic by the Mock EDR and Mock SIEM services. EDA consumes from the topic using the eda-security-processor consumer group.
The rulebook is defined in ansible/rulebooks/security-events.yml. It contains 87 rules covering 26 event types across all three PKI hierarchies.
- name: Security Event Processor
hosts: all
sources:
- ansible.eda.kafka:
host: kafka.cert-lab.local
port: 9092
topic: security-events
group_id: eda-security-processor
offset: earliestEvery rule matches on a combination of fields from the Kafka message body:
- name: Critical Malware Detection - RSA
condition: >
event.body.source in ["edr", "siem"] and
event.body.event_type == "malware_detection" and
event.body.severity == "critical" and
event.body.action_required == "revoke_certificate" and
(event.body.pki_type is not defined or event.body.pki_type == null
or event.body.pki_type == "rsa")
action:
run_playbook:
name: /playbooks/dogtag-rsa-revoke-certificate.yml
extra_vars:
event: "{{ event.body }}"
priority: "critical"
ca_level: "intermediate"Condition fields:
| Field | Purpose | Example Values |
|---|---|---|
event.body.source |
Event origin |
"edr", "siem"
|
event.body.event_type |
Type of security incident |
"malware_detection", "key_compromise"
|
event.body.severity |
Severity level |
"high", "critical"
|
event.body.action_required |
Requested action | "revoke_certificate" |
event.body.pki_type |
Target PKI hierarchy |
"rsa", "ecc", "pqc"
|
Every event type has explicit rules for each PKI hierarchy. There is no catch-all fallback rule.
-
RSA rules match when
pki_typeis"rsa", is not defined, or is null (RSA is the default) -
ECC rules match when
pki_type == "ecc" -
PQC rules match when
pki_type == "pqc"
Each rule dispatches to the corresponding playbook:
| PKI Type | Playbook |
|---|---|
| RSA-4096 | dogtag-rsa-revoke-certificate.yml |
| ECC P-384 | dogtag-ecc-revoke-certificate.yml |
| ML-DSA-87 | dogtag-pqc-revoke-certificate.yml |
Events are routed to different CAs based on their category:
| Event Category | Target CA | Notes |
|---|---|---|
| Original (malware, credential theft, etc.) | Intermediate CA | General server certificates |
| PKI/Cert (key_compromise, rogue_ca, etc.) | From event or default IoT |
ca_level set by event or playbook default |
| IoT (firmware_integrity, device_cloning, etc.) | IoT CA | Device certificates |
| Identity (impossible_travel, mfa_bypass, etc.) | Intermediate CA + FreeIPA | Dual revocation |
| Network (tls_downgrade, ct_log_mismatch, etc.) | Intermediate CA | Network-layer certificates |
| SIEM (data_exfiltration, unauthorized_access, etc.) | Intermediate CA | Sourced from SIEM |
CA level resolution priority:
-
event.ca_level-- value set in the event payload by the caller -
ca_levelfrom rulebookextra_vars-- value set in the rule action - Default
iot-- hardcoded fallback in the playbook
Identity-related events (impossible_travel, service_account_abuse, mfa_bypass, kerberoasting) fire two rules simultaneously:
- A Dogtag PKI rule (RSA/ECC/PQC based on
pki_type) targeting the Intermediate CA - A FreeIPA rule (fires for all
pki_typevalues) runningfreeipa-revoke-certificate.yml
This ensures that both the Dogtag-issued certificate and the FreeIPA-managed identity are revoked in parallel.
| Event Type | Severity Filter | CA Level |
|---|---|---|
malware_detection |
critical, high
|
intermediate |
credential_theft |
high, critical
|
intermediate |
ransomware |
high, critical
|
intermediate |
c2_communication |
high, critical
|
intermediate |
lateral_movement |
high, critical
|
intermediate |
privilege_escalation |
high, critical
|
intermediate |
suspicious_script |
high, critical
|
intermediate |
| Event Type | Severity Filter | CA Level | Reason Code |
|---|---|---|---|
key_compromise |
high, critical
|
event default |
1 (KEY_COMPROMISE) |
geo_anomaly |
high, critical
|
intermediate |
1 |
compliance_violation |
high, critical
|
intermediate |
-- |
mitm_detected |
high, critical
|
intermediate |
-- |
rogue_ca |
high, critical
|
intermediate |
-- |
| Event Type | Severity Filter | CA Level |
|---|---|---|
firmware_integrity |
high, critical
|
iot |
device_cloning |
high, critical
|
iot |
iot_anomaly |
high, critical
|
iot |
protocol_attack |
high, critical
|
iot |
| Event Type | Severity Filter | CA Level | FreeIPA |
|---|---|---|---|
impossible_travel |
high, critical
|
intermediate |
Yes |
service_account_abuse |
high, critical
|
intermediate |
Yes |
mfa_bypass |
high, critical
|
intermediate |
Yes |
kerberoasting |
high, critical
|
intermediate |
Yes |
| Event Type | Severity Filter | CA Level |
|---|---|---|
tls_downgrade |
high, critical
|
intermediate |
ct_log_mismatch |
high, critical
|
intermediate |
ocsp_bypass |
high, critical
|
intermediate |
| Event Type | Severity Filter | CA Level |
|---|---|---|
data_exfiltration |
high, critical
|
intermediate |
unauthorized_access |
high, critical
|
intermediate |
certificate_misuse |
high, critical
|
intermediate |
Totals: 26 event types, 87 rules (78 Dogtag rules + 5 malware high-severity variants + 4 FreeIPA rules)
{
"source": "edr",
"event_type": "key_compromise",
"severity": "critical",
"action_required": "revoke_certificate",
"pki_type": "rsa",
"device_fqdn": "webserver.cert-lab.local",
"certificate_cn": "webserver.cert-lab.local",
"certificate_serial": "0x1a2b3c",
"ca_level": "intermediate",
"event_id": "evt-2024-001",
"description": "Private key detected in public repository",
"timestamp": "2024-01-15T10:30:00Z"
}EDA runs in rootless Podman, while PKI containers require rootful Podman. The EDA SSH bridge connects these two environments:
EDA Container (rootless) --SSH--> Lab Host --> sudo podman exec (rootful PKI containers)
Setup: ./scripts/setup-eda-ssh.sh
Required .env variables: LAB_HOST_IP, LAB_HOST_USER, LAB_ROOT_DIR
- Certificate Revocation -- Revocation process and verification
- Certificate Issuance -- How certificates are issued
- Security Scenarios -- Full list of testable scenarios
- EST Protocol -- EST enrollment and revocation
- ACME Protocol -- ACME certificate lifecycle