Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

i want to monitor key vault access policy when new user is added or someone is removed

Copper Contributor

i want to monitor key vault access policy when new user is added or someone is removed using sentinel Analytics rule.

 

can someone suggest a kusto query to monitor access policy of key vaults .

1 Reply
best response confirmed by deepak198486 (Copper Contributor)
Solution
Those events are written to the AzureDiagnostics table, so just make sure your key vaults are sending data, then something like this should work. Both adding & removing users is a VaultPatch operation, and the columns will change slightly depending if its an add or remove

AzureDiagnostics
| where ResourceType == "VAULTS"
| where OperationName == "VaultPatch"
| where ResultType == "Success"
| extend UserObjectAdded = addedAccessPolicy_ObjectId_g
| extend UserObjectRemoved = removedAccessPolicy_ObjectId_g
| extend Actor = identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_name_s
| extend KeyAccessRemoved = tostring(removedAccessPolicy_Permissions_keys_s)
| extend SecretAccessRemoved = tostring(removedAccessPolicy_Permissions_secrets_s)
| extend CertAccessRemoved = tostring(removedAccessPolicy_Permissions_certificates_s)
| extend KeyAccessAdded = tostring(addedAccessPolicy_Permissions_keys_s)
| extend SecretAccessAdded = tostring(addedAccessPolicy_Permissions_secrets_s)
| extend CertAccessAdded = tostring(addedAccessPolicy_Permissions_certificates_s)
| where isnotempty( UserObjectAdded) or isnotempty( UserObjectRemoved)
| project ResourceType, OperationName, ResultType, id_s, Actor, UserObjectAdded, UserObjectRemoved, KeyAccessAdded, SecretAccessAdded, CertAccessAdded, KeyAccessRemoved, SecretAccessRemoved, CertAccessRemoved
1 best response

Accepted Solutions
best response confirmed by deepak198486 (Copper Contributor)
Solution
Those events are written to the AzureDiagnostics table, so just make sure your key vaults are sending data, then something like this should work. Both adding & removing users is a VaultPatch operation, and the columns will change slightly depending if its an add or remove

AzureDiagnostics
| where ResourceType == "VAULTS"
| where OperationName == "VaultPatch"
| where ResultType == "Success"
| extend UserObjectAdded = addedAccessPolicy_ObjectId_g
| extend UserObjectRemoved = removedAccessPolicy_ObjectId_g
| extend Actor = identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_name_s
| extend KeyAccessRemoved = tostring(removedAccessPolicy_Permissions_keys_s)
| extend SecretAccessRemoved = tostring(removedAccessPolicy_Permissions_secrets_s)
| extend CertAccessRemoved = tostring(removedAccessPolicy_Permissions_certificates_s)
| extend KeyAccessAdded = tostring(addedAccessPolicy_Permissions_keys_s)
| extend SecretAccessAdded = tostring(addedAccessPolicy_Permissions_secrets_s)
| extend CertAccessAdded = tostring(addedAccessPolicy_Permissions_certificates_s)
| where isnotempty( UserObjectAdded) or isnotempty( UserObjectRemoved)
| project ResourceType, OperationName, ResultType, id_s, Actor, UserObjectAdded, UserObjectRemoved, KeyAccessAdded, SecretAccessAdded, CertAccessAdded, KeyAccessRemoved, SecretAccessRemoved, CertAccessRemoved

View solution in original post