Key Vault Default Firewall Rule Setto Allow
Query
// Detects when an Azure Key Vault firewall is set to allow all by default
//Data connector required for this query - Azure Key Vault
AzureDiagnostics
| where ResourceType == "VAULTS"
| where OperationName == "VaultPatch"
| where ResultType == "Success"
| project-rename ExistingACL=properties_networkAcls_defaultAction_s, VaultName=Resource
| where isnotempty(ExistingACL)
| where ExistingACL == "Deny"
| sort by TimeGenerated desc
| project
TimeGenerated,
SubscriptionId,
VaultName,
ExistingACL
| join kind=inner
(
AzureDiagnostics
| project-rename NewACL=properties_networkAcls_defaultAction_s, VaultName=Resource
| where ResourceType == "VAULTS"
| where OperationName == "VaultPatch"
| where ResultType == "Success"
| summarize arg_max(TimeGenerated, *) by VaultName, NewACL
)
on VaultName
| where ExistingACL != NewACL and NewACL == "Allow"
| project DetectionTime=TimeGenerated1, VaultName, ExistingACL, NewACL, SubscriptionId, IPAddressofActor=CallerIPAddress, Actor=identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_sExplanation
This query is used to detect when an Azure Key Vault firewall is set to allow all by default. It looks for successful operations where the firewall is patched for a Key Vault. It compares the existing default action for network ACLs with the new default action. If the existing action is "Deny" and the new action is "Allow", it indicates that the firewall has been set to allow all by default. The query retrieves information such as the time of detection, Key Vault name, existing and new default actions, subscription ID, IP address of the actor, and actor identity.
Details

Matt Zorich
Released: June 17, 2022
Tables
AzureDiagnostics
Keywords
AzureDiagnosticsResourceTypeOperationNameResultTypeproperties_networkAcls_defaultAction_sResourceisnotemptyDenyTimeGeneratedSubscriptionIdExistingACLjoinNewACLsummarizeDetectionTimeIPAddressofActorCallerIPAddressActoridentity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s
Operators
where|==isnotempty()sort byproject-renamejoinsummarizeon!=and