Key Vault Potentially Sensitive Operations
Query
// Detects Key Vault operations that could be malicious
//Data connector required for this query - Azure Key Vault
let operationlist = dynamic(
["VaultDelete", "KeyDelete", "SecretDelete", "SecretPurge", "KeyPurge", "SecretBackup", "KeyBackup", "SecretListDeleted", "CertificateCreate", "CertificatePurge"]);
AzureDiagnostics
| where ResourceType == "VAULTS" and ResultType == "Success"
| where OperationName in (operationlist)
| project TimeGenerated,
ResourceGroup,
SubscriptionId,
KeyVaultName=Resource,
KeyVaultTarget=id_s,
Actor=identity_claim_upn_s,
IPAddressofActor=CallerIPAddress,
OperationNameExplanation
This query detects potentially malicious operations in Azure Key Vault. It filters for successful operations related to specific actions such as deleting, purging, backing up, listing deleted items, and creating certificates. The query then projects relevant information such as the time the operation was generated, the resource group, subscription ID, Key Vault name, target, actor, and IP address of the actor.
Details

Matt Zorich
Released: June 17, 2022
Tables
AzureDiagnostics
Keywords
DetectsKeyVaultOperationsMaliciousDataConnectorAzureDeleteSecretPurgeBackupListDeletedCertificateCreateResourceSuccessTimeGeneratedResourceGroupSubscriptionIdKeyVaultNameKeyVaultTargetActorIPAddressofActor
Operators
whereinproject