KQL Search

Query Details

HomeAI ToolsDevice Query

Key Vault Default Firewall Rule Setto Allow

Query

// Detects when an Azure Key Vault firewall is set to allow all by default

//Data connector required for this query - Azure Key Vault

AzureDiagnostics
| where ResourceType == "VAULTS"
| where OperationName == "VaultPatch"
| where ResultType == "Success"
| project-rename ExistingACL=properties_networkAcls_defaultAction_s, VaultName=Resource
| where isnotempty(ExistingACL)
| where ExistingACL == "Deny"
| sort by TimeGenerated desc  
| project
    TimeGenerated,
    SubscriptionId,
    VaultName,
    ExistingACL
| join kind=inner
(
AzureDiagnostics
| project-rename NewACL=properties_networkAcls_defaultAction_s, VaultName=Resource
| where ResourceType == "VAULTS"
| where OperationName == "VaultPatch"
| where ResultType == "Success"
| summarize arg_max(TimeGenerated, *) by VaultName, NewACL
) 
on VaultName
| where ExistingACL != NewACL and NewACL == "Allow"
| project DetectionTime=TimeGenerated1, VaultName, ExistingACL, NewACL, SubscriptionId, IPAddressofActor=CallerIPAddress, Actor=identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s

Explanation

This query is used to detect when an Azure Key Vault firewall is set to allow all by default. It looks for successful operations where the firewall is patched for a Key Vault. It compares the existing default action for network ACLs with the new default action. If the existing action is "Deny" and the new action is "Allow", it indicates that the firewall has been set to allow all by default. The query retrieves information such as the time of detection, Key Vault name, existing and new default actions, subscription ID, IP address of the actor, and actor identity.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

AzureDiagnostics

Keywords

AzureDiagnostics,ResourceType,OperationName,ResultType,properties_networkAcls_defaultAction_s,Resource,isnotempty,Deny,TimeGenerated,SubscriptionId,ExistingACL,join,NewACL,summarize,DetectionTime,IPAddressofActor,CallerIPAddress,Actor,identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s

Operators

where|==isnotempty()sort byproject-renamejoinsummarizeon!=and==

Actions