KQL Search

Query Details

HomeAI ToolsDevice Query

Function Azure Key Vault Access

Query

// Save as a function in your workspace then invoke via its name, i.e if you save as KeyVaultAccess
// KeyVaultAccess | where TimeGenerated > ago(30d) | where Actor == "[email protected]" // will find actions taken by that user
// KeyVaultAccess | where TimeGenerated > ago(30d) | where * contains "Delete" // will find when delete access is added or removed
// This will parse the AzureActivity log for Azure Key Vault access changes.
AzureDiagnostics
| where ResourceType == "VAULTS"
| where OperationName == "VaultPatch"
| where ResultType == "Success"
| project-rename
    ServicePrincipalAdded=addedAccessPolicy_ObjectId_g,
    Actor=identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_name_s,
    AddedKeyPolicy = addedAccessPolicy_Permissions_keys_s,
    AddedSecretPolicy = addedAccessPolicy_Permissions_secrets_s,
    AddedCertPolicy = addedAccessPolicy_Permissions_certificates_s,
    RemovedKeyPolicy = removedAccessPolicy_Permissions_keys_s,
    RemovedSecretPolicy = removedAccessPolicy_Permissions_secrets_s,
    RemovedCertPolicy = removedAccessPolicy_Permissions_certificates_s,
    ServicePrincipalRemoved=removedAccessPolicy_ObjectId_g
| project
    TimeGenerated,
    KeyVaultName=Resource,
    ServicePrincipalAdded,
    ServicePrincipalRemoved,
    Actor,
    IPAddressofActor=CallerIPAddress,
    AddedSecretPolicy,
    AddedKeyPolicy,
    AddedCertPolicy,
    RemovedSecretPolicy,
    RemovedKeyPolicy,
    RemovedCertPolicy
| where isnotempty(AddedKeyPolicy)
    or isnotempty(AddedSecretPolicy)
    or isnotempty(AddedCertPolicy)
    or isnotempty(RemovedKeyPolicy)
    or isnotempty(RemovedSecretPolicy)
    or isnotempty(RemovedCertPolicy)

Explanation

This query is searching the AzureActivity log for changes in Azure Key Vault access. It filters for successful VaultPatch operations on Vaults resources. It renames and selects specific columns related to access policies and service principals. It also selects additional columns such as TimeGenerated, KeyVaultName, Actor, and IPAddressofActor. Finally, it filters for any changes in access policies for keys, secrets, or certificates.

Details

Matt Zorich profile picture

Matt Zorich

Released: November 11, 2021

Tables

AzureDiagnostics

Keywords

AzureDiagnostics,ResourceType,OperationName,ResultType,ServicePrincipalAdded,Actor,AddedKeyPolicy,AddedSecretPolicy,AddedCertPolicy,RemovedKeyPolicy,RemovedSecretPolicy,RemovedCertPolicy,ServicePrincipalRemoved,TimeGenerated,KeyVaultName,IPAddressofActor

Operators

whereago==contains|project-rename=isnotemptyor

Actions