Skip to content

Home

Jump to bottom
Tristan Kington edited this page Dec 2, 2021 · 4 revisions

Welcome to the Tenuously Adequate Certificate Authority Reporting System (TACARS) Wiki

This will be the manual one day.

Quick FAQ

Workbook?

There's a sample Azure Monitor workbook in the Workbooks folder, saved with a .json extension.

I'll be adding to this/these over time.

To use it:

  1. Open the Log Analytics workspace to which you've uploaded your logs
  2. Hit the Workbooks link on the left
  3. Click New Workbook at the top
  4. use the Advanced Editor (angle-brackety-looking option <> ) to get at the source code
  5. Delete all existing source code
  6. Copy and paste the contents of the JSON file (open it in Notepad or VS Code, ctrl+a, ctrl+c) into the editor window
  7. Hit Apply
  8. Optionally hit Done Editing and save the workbook to the LA workspace, or to a storage account. Your call.

How much will it cost!?

Quick preamble on value of data

If you're using AllRequests, you're getting a base64 certificate (if it was issued) plus a bunch of other things for each database entry. My thinking is that if you're integrating this table (/these tables) with Sentinel for threat hunting purposes, you want to be able to download a copy of the cert just in case there's something interesting we're not reporting on, but you can customize the parameters in LargeCollector to define exactly what you want.

(Tip: I'd suggest copying one of the other entries which has something close to what you want, like ActiveCertsBasic, then renaming it and editing the fields you're interested in).

If you're using IssuedCertsBasic, the certs which were actually issued successfully. If ActiveCertsBasic, the subset of issued certs which are still time-valid.

Badly-extrapolated numbers

Log Analytics has an ingestion cost ($AUD4.59 for mine at time of writing - Dec 2021 in Aus East) and a distinct retention cost (>31 days at time of writing).

For most less-than-a-million-certs databases, that shouldn't be cost-prohibitive.

You can look at the "Usage and Estimated Costs" blade next to the Log Analytics workspace (or use the Log Analytics Ingestion workbook) to work out what your cost basis is likely to be.

For ~270 certs - which uses about 500KB on disk as a CSV and I've uploaded twice - it claims mine is $AUD0.02/mo. That might be overstating it, as I've a few test tables at the moment...

But through extrapolation

  • for 2700, $0.20,
  • for 27,000 $2.00,
  • and for 270,000 $20.00. And keep in mind I'm at least doubled up, so we could be halving this number.

(Very rough numbers there! If you can share stats, please do so in discussions).

If you're not ready to try Log Analytics, use NOUPLOAD to produce just the CSV file, which should give you a feel for data size.

Clone this wiki locally