KQL Search

Query Details

Key Vault Object ID Addedto Access Policy

Query

// Detects when a service principal (user, group or app) has been granted access to Key Vault data

//Data connector required for this query - Azure Key Vault

AzureDiagnostics
| where ResourceType == "VAULTS"
| where OperationName == "VaultPatch"
| where ResultType == "Success"
| project-rename ServicePrincipalAdded=addedAccessPolicy_ObjectId_g, Actor=identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_name_s, AddedKeyPolicy = addedAccessPolicy_Permissions_keys_s, AddedSecretPolicy = addedAccessPolicy_Permissions_secrets_s,AddedCertPolicy = addedAccessPolicy_Permissions_certificates_s
| where isnotempty(AddedKeyPolicy)
    or isnotempty(AddedSecretPolicy)
    or isnotempty(AddedCertPolicy)
| project
    TimeGenerated,
    KeyVaultName=Resource,
    ServicePrincipalAdded,
    Actor,
    IPAddressofActor=CallerIPAddress,
    AddedSecretPolicy,
    AddedKeyPolicy,
    AddedCertPolicy

Explanation

This query detects when a service principal (user, group, or app) has been granted access to Key Vault data. It filters the AzureDiagnostics data for VaultPatch operations that were successful. It then renames and selects specific columns related to the service principal, access policies, and permissions. The query further filters for access policies that have non-empty key, secret, or certificate permissions. Finally, it selects and renames the desired columns for the output.

Details

Matt Zorich

Released: June 17, 2022

Tables

AzureDiagnostics

Keywords

AzureDiagnostics,ResourceType,VAULTS,OperationName,VaultPatch,ResultType,Success,ServicePrincipalAdded,Actor,AddedKeyPolicy,AddedSecretPolicy,AddedCertPolicy,isnotempty,TimeGenerated,KeyVaultName,IPAddressofActor,CallerIPAddress

Operators

whereisnotemptyorproject-rename

KQL Search

Key Vault Object ID Addedto Access Policy

Query

Explanation

Details

Actions