Key Vault IP Addedto Firewall
Query
// Detects when an IP address has been added to an Azure Key Vault firewall allow list
//Data connector required for this query - Azure Key Vault
AzureDiagnostics
| where ResourceType == "VAULTS"
| where OperationName == "VaultPatch"
| where ResultType == "Success"
| where isnotempty(addedIpRule_Value_s)
| project
TimeGenerated,
VaultName=Resource,
SubscriptionId,
IPAddressofActor=CallerIPAddress,
Actor=identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s,
IPRangeAdded=addedIpRule_Value_sExplanation
This query detects when an IP address has been added to the firewall allow list of an Azure Key Vault. It uses the AzureDiagnostics data connector and filters for successful VaultPatch operations on VAULTS resources. It also checks for non-empty addedIpRule_Value_s field and projects relevant information such as TimeGenerated, VaultName, SubscriptionId, IPAddressofActor, Actor, and IPRangeAdded.
Details

Matt Zorich
Released: June 17, 2022
Tables
AzureDiagnostics
Keywords
AzureDiagnosticsResourceTypeVAULTSOperationNameVaultPatchResultTypeSuccessaddedIpRule_Value_sTimeGeneratedResourceSubscriptionIdCallerIPAddressidentity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s
Operators
whereisnotemptyproject