KQL Search

Query Details

HomeAI ToolsDevice Query

Key Vault Anomalous Key Vault Accessby User

Query

//Searches for access by users who have not previously accessed an Azure Key Vault in the last 30 days and returns all actions by those users

//Data connector required for this query - Azure Key Vault

let operationlist = dynamic(["SecretGet", "KeyGet", "VaultGet"]);
let starttime = 30d;
let endtime = 1d;
let detection=
    AzureDiagnostics
    | where TimeGenerated between (ago(starttime) .. ago(endtime))
    | where ResourceType == "VAULTS"
    | where ResultType == "Success"
    | where OperationName in (operationlist)
    | where isnotempty(identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s)
    | project-rename KeyVaultName=Resource, UserPrincipalName=identity_claim_appid_g
    | distinct KeyVaultName, UserPrincipalName
    | join kind=rightanti  (
        AzureDiagnostics
        | where TimeGenerated > ago(endtime)
        | where ResourceType == "VAULTS"
        | where ResultType == "Success"
        | where OperationName in (operationlist)
        | where isnotempty(identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s)
        | project-rename
            KeyVaultName=Resource,
            UserPrincipalName=identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s
        | distinct KeyVaultName, UserPrincipalName)
        on KeyVaultName, UserPrincipalName;
AzureDiagnostics
| where TimeGenerated > ago(endtime)
| where ResourceType == "VAULTS"
| where ResultType == "Success"
| project-rename
    KeyVaultName=Resource,
    UserPrincipalName=identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s
| join kind=inner detection on KeyVaultName, UserPrincipalName
| project
    TimeGenerated,
    UserPrincipalName,
    ResourceGroup,
    SubscriptionId,
    KeyVaultName,
    KeyVaultTarget=id_s,
    OperationName

Explanation

This query searches for access by users who have not previously accessed an Azure Key Vault in the last 30 days. It returns all actions performed by those users. The query requires a data connector for Azure Key Vault. It filters the data based on specific conditions such as the operation type and success status. It also includes a join operation to exclude users who have accessed the Key Vault within the last day. The final result includes the timestamp, user information, resource group, subscription ID, Key Vault name, and the ID of the Key Vault target.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

AzureDiagnostics

Keywords

AzureDiagnostics,TimeGenerated,UserPrincipalName,ResourceGroup,SubscriptionId,KeyVaultName,KeyVaultTarget,OperationName

Operators

wherebetweeninisnotemptyproject-renamedistinctjoinonwhereproject

Actions