KQL Search

Query Details

HomeAI ToolsDevice Query

HUNT 09 New SP Key Vault Access

Query

// Hunt     : Hunt - Service Principals Accessing Key Vault for the First Time Within 7 Days
// Tactics  : CredentialAccess
// MITRE    : T1552.001
// Purpose  : Surfaces identities that accessed a Key Vault for the first time in the last 7 days. Compromised service principals and attacker-created SPs often probe Key Vaults for secrets/certs after initial access. Investigate any SP not expected to require KV access.
//==========================================================================================

let AllKVAccess = AzureActivity
    | where TimeGenerated > ago(90d)
    | where OperationNameValue startswith "MICROSOFT.KEYVAULT/VAULTS/"
    | where ActivityStatusValue =~ "Success"
    | summarize FirstAccessEver = min(TimeGenerated) by Caller, VaultPath = tostring(strcat(SubscriptionId, "/", ResourceGroup, "/", tostring(split(ResourceId, "/")[8])));
AllKVAccess
| where FirstAccessEver > ago(7d)
| join kind=inner (
    AzureActivity
    | where TimeGenerated > ago(7d)
    | where OperationNameValue startswith "MICROSOFT.KEYVAULT/VAULTS/"
    | where ActivityStatusValue =~ "Success"
    | project TimeGenerated, Caller, Operation = OperationNameValue, ResourceId, CallerIpAddress, SubscriptionId, ResourceGroup
) on Caller
| project TimeGenerated, Caller, Operation, ResourceId, CallerIpAddress, SubscriptionId, ResourceGroup, FirstAccessEver
| order by FirstAccessEver desc

Explanation

This KQL query is designed to identify service principals that have accessed an Azure Key Vault for the first time within the last 7 days. Here's a simplified breakdown of what the query does:

  1. Data Collection: It starts by looking at Azure activity logs from the past 90 days, specifically focusing on successful operations related to Key Vaults.

  2. Identify First Access: For each service principal (identified by "Caller"), it determines the earliest time they accessed any Key Vault, along with the specific vault they accessed.

  3. Filter Recent First Access: It filters this list to find service principals whose first-ever access to a Key Vault occurred within the last 7 days.

  4. Join Recent Activities: It then joins this filtered list with recent Key Vault access activities from the past 7 days to gather additional details like operation type, resource ID, caller IP address, subscription ID, and resource group.

  5. Output: The result is a list of service principals who have accessed a Key Vault for the first time in the last 7 days, along with details of their access, ordered by the time of their first access.

The purpose of this query is to help identify potentially compromised or malicious service principals that might be probing Key Vaults for sensitive information, such as secrets or certificates, which they are not expected to access.

Details

David Alonso profile picture

David Alonso

Released: March 12, 2026

Tables

AzureActivity

Keywords

AzureActivityKeyVaultSubscriptionIdResourceGroupResourceIdCallerCallerIpAddressTimeGeneratedVaultPathOperationNameValueActivityStatusValue

Operators

let|where>ago()startswith=~summarizemin()bytostring()strcat()split()joinkind=innerprojectonorder bydesc

Actions