Blog Post

Microsoft Defender for Cloud Blog
3 MIN READ

Microsoft Defender for Cloud PoC Series – Microsoft Defender for Key Vault

Fernanda_Vela's avatar
Fernanda_Vela
Icon for Microsoft rankMicrosoft
Aug 12, 2021

[Post updated on 06/27/2024] by Fernanda Vela

 

 

Introduction

This Microsoft Defender for Cloud PoC Series provides guidelines on how to perform a proof of concept for a specific Microsoft Defender plan. For a more holistic approach where you need to validate Microsoft Defender for Cloud, please read How to Effectively Perform a Microsoft Defender for Cloud PoC article.

Azure Key Vault is used to store and access secrets, such as API keys, passwords, certificates, or cryptographic keys. Having critical data makes it a priority to maximize the threat protection of the vaults that can be provided with the security intelligence of Microsoft Defender for Key Vault.

 

Planning

As part of your Microsoft Defender for Key Vault PoC you need to identify the use case scenarios that you want to validate. Some common scenarios include access from an IP that was identified by Microsoft Threat Intelligence as suspicious, a user/service principal performing anomalous changes in policies, a user or service principal attempting to access to an anomalously high volume of key vaults in the last 24 hours, among others.

 

You can use the Alerts identified by Microsoft Defender for Key Vault as your starting point to plan which actions you want to execute.

Enabling this bundle at the subscription level will not affect the performance of your Azure Key Vaults since there are no agents and it is performed in Azure’s backend.

 

To enable Microsoft Defender for Key Vault, you can do it at the subscription level.

  1. Go to the Azure portal
  2. Click on Microsoft Defender for Cloud
  3. Go to Environment Settings
  4. Select the subscription where you want to enable the plan
  5. In the Cloud Workload Protection section, you can enable/disable Key Vault

 

As of June 2024, Defender for Key Vault is offered in two plans: Per-transaction model and Per-Key-Vault model. To determine which plan is best for you, we strongly encourage you to reference your bill and the pricing calculator.

 

 

 

Preparation

You need at least Security Admin role to enable Microsoft Defender for Key Vault. For more information about roles and privileges, visit this article.

 

From the readiness perspective, make sure to review the following resources to better understand Azure Defender for Key Vault:

 

Implementation and validation

You can use the sample alert feature to validate Microsoft Defender for Key Vault alerts, or you can simulate Microsoft Defender for Key Vault alerts by following the instructions in Validating Azure Key Vault threat detection in Microsoft Defender for Cloud.

 

Understanding the alerts for Key Vault can help you identify suspicious activities and eliminate noise if necessary. When you receive an alert from Microsoft Defender for Key Vault, we recommend you investigate the alert, because even if you're familiar with the application or user that triggered the alert, it's important to verify the context of every alert.

 

If you also have Defender CSPM enabled, you can take advantage of attack paths to see if there is a risk of a lateral movement in your environment that exploits vulnerabilities on servers to gain access to Key Vaults. To explore more of these use-case exercises, visit the Microsoft Defender for Cloud GitHub repository where there’s a lab on Defender CSPM.

 

Conclusion

By the end of this PoC you should be able to determine the value of this solution and the importance to have this level of threat detection to your workloads.

 

P.S. Subscribe to our Microsoft Defender for Cloud Newsletter to stay up to date on helpful tips and new releases and join our Tech Community where you can be one of the first to hear the latest Microsoft Defender for Cloud news, announcements and get your questions answered by experts.

 

Reviewers

Walner Dort - Product Manager II, Microsoft Defender for Cloud CXE

@Yuri Diogenes  - Principal PM Manager, Microsoft Defender for Cloud CXE

Updated Jun 27, 2024
Version 5.0
No CommentsBe the first to comment