KQL Search

Query Details

HomeAI ToolsDevice Query

Key Vault Anomalous Key Vault Accessby App

Query

//Searches for access by applications that have not previously accessed an Azure Key Vault in the last 30 days and returns all actions by those applications

//Data connector required for this query - Azure Key Vault

let operationlist = dynamic(["SecretGet", "KeyGet", "VaultGet"]);
let starttime = 30d;
let endtime = 1d;
let detection=
    AzureDiagnostics
    | where TimeGenerated between (ago(starttime) .. ago(endtime))
    | where ResourceType == "VAULTS"
    | where ResultType == "Success"
    | where OperationName in (operationlist)
    | where isnotempty(identity_claim_appid_g)
    | project-rename KeyVaultName=Resource, AppId=identity_claim_appid_g
    | distinct KeyVaultName, AppId
    | join kind=rightanti  (
        AzureDiagnostics
        | where TimeGenerated > ago(endtime)
        | where ResourceType == "VAULTS"
        | where ResultType == "Success"
        | where OperationName in (operationlist)
        | where isnotempty(identity_claim_appid_g)
        | project-rename
            KeyVaultName=Resource,
            AppId=identity_claim_appid_g
        | distinct KeyVaultName, AppId)
        on KeyVaultName, AppId;
AzureDiagnostics
| where TimeGenerated > ago(endtime)
| where ResourceType == "VAULTS"
| where ResultType == "Success"
| project-rename
    KeyVaultName=Resource,
    AppId=identity_claim_appid_g
| join kind=inner detection on KeyVaultName, AppId
| project
    TimeGenerated,
    AppId,
    ResourceGroup,
    SubscriptionId,
    KeyVaultName,
    KeyVaultTarget=id_s,
    OperationName

Explanation

This query searches for access by applications that have not accessed an Azure Key Vault in the last 30 days. It returns all actions performed by those applications. The query uses the AzureDiagnostics data connector and filters for successful operations related to getting secrets, keys, and vaults. It also filters for applications with a non-empty app ID. The query then joins this data with the AzureDiagnostics data from the last day to exclude applications that have accessed the Key Vault recently. The final result includes the time of the action, the app ID, the resource group, subscription ID, Key Vault name, and the target of the operation.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

AzureDiagnostics

Keywords

Devices,Intune,User

Operators

wherebetweeninisnotemptyproject-renamedistinctjoinonwhereproject

Actions