SOLVED

i want to monitor key vault access policy when new user is added or someone is removed

%3CLINGO-SUB%20id%3D%22lingo-sub-2663722%22%20slang%3D%22en-US%22%3Ei%20want%20to%20monitor%20key%20vault%20access%20policy%20when%20new%20user%20is%20added%20or%20someone%20is%20removed%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2663722%22%20slang%3D%22en-US%22%3E%3CP%3Ei%20want%20to%20monitor%20key%20vault%20access%20policy%20when%20new%20user%20is%20added%20or%20someone%20is%20removed%20using%20sentinel%20Analytics%20rule.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ecan%20someone%20suggest%20a%20kusto%20query%20to%20monitor%20access%20policy%20of%20key%20vaults%20.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2667092%22%20slang%3D%22en-US%22%3ERe%3A%20i%20want%20to%20monitor%20key%20vault%20access%20policy%20when%20new%20user%20is%20added%20or%20someone%20is%20removed%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2667092%22%20slang%3D%22en-US%22%3EThose%20events%20are%20written%20to%20the%20AzureDiagnostics%20table%2C%20so%20just%20make%20sure%20your%20key%20vaults%20are%20sending%20data%2C%20then%20something%20like%20this%20should%20work.%20Both%20adding%20%26amp%3B%20removing%20users%20is%20a%20VaultPatch%20operation%2C%20and%20the%20columns%20will%20change%20slightly%20depending%20if%20its%20an%20add%20or%20remove%3CBR%20%2F%3E%3CBR%20%2F%3EAzureDiagnostics%3CBR%20%2F%3E%7C%20where%20ResourceType%20%3D%3D%20%22VAULTS%22%3CBR%20%2F%3E%7C%20where%20OperationName%20%3D%3D%20%22VaultPatch%22%3CBR%20%2F%3E%7C%20where%20ResultType%20%3D%3D%20%22Success%22%3CBR%20%2F%3E%7C%20extend%20UserObjectAdded%20%3D%20addedAccessPolicy_ObjectId_g%3CBR%20%2F%3E%7C%20extend%20UserObjectRemoved%20%3D%20removedAccessPolicy_ObjectId_g%3CBR%20%2F%3E%7C%20extend%20Actor%20%3D%20identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_name_s%3CBR%20%2F%3E%7C%20extend%20KeyAccessRemoved%20%3D%20tostring(removedAccessPolicy_Permissions_keys_s)%3CBR%20%2F%3E%7C%20extend%20SecretAccessRemoved%20%3D%20tostring(removedAccessPolicy_Permissions_secrets_s)%3CBR%20%2F%3E%7C%20extend%20CertAccessRemoved%20%3D%20tostring(removedAccessPolicy_Permissions_certificates_s)%3CBR%20%2F%3E%7C%20extend%20KeyAccessAdded%20%3D%20tostring(addedAccessPolicy_Permissions_keys_s)%3CBR%20%2F%3E%7C%20extend%20SecretAccessAdded%20%3D%20tostring(addedAccessPolicy_Permissions_secrets_s)%3CBR%20%2F%3E%7C%20extend%20CertAccessAdded%20%3D%20tostring(addedAccessPolicy_Permissions_certificates_s)%3CBR%20%2F%3E%7C%20where%20isnotempty(%20UserObjectAdded)%20or%20isnotempty(%20UserObjectRemoved)%3CBR%20%2F%3E%7C%20project%20ResourceType%2C%20OperationName%2C%20ResultType%2C%20id_s%2C%20Actor%2C%20UserObjectAdded%2C%20UserObjectRemoved%2C%20KeyAccessAdded%2C%20SecretAccessAdded%2C%20CertAccessAdded%2C%20KeyAccessRemoved%2C%20SecretAccessRemoved%2C%20CertAccessRemoved%3C%2FLINGO-BODY%3E
Occasional Contributor

i want to monitor key vault access policy when new user is added or someone is removed using sentinel Analytics rule.

 

can someone suggest a kusto query to monitor access policy of key vaults .

1 Reply
best response confirmed by deepak198486 (Occasional Contributor)
Solution
Those events are written to the AzureDiagnostics table, so just make sure your key vaults are sending data, then something like this should work. Both adding & removing users is a VaultPatch operation, and the columns will change slightly depending if its an add or remove

AzureDiagnostics
| where ResourceType == "VAULTS"
| where OperationName == "VaultPatch"
| where ResultType == "Success"
| extend UserObjectAdded = addedAccessPolicy_ObjectId_g
| extend UserObjectRemoved = removedAccessPolicy_ObjectId_g
| extend Actor = identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_name_s
| extend KeyAccessRemoved = tostring(removedAccessPolicy_Permissions_keys_s)
| extend SecretAccessRemoved = tostring(removedAccessPolicy_Permissions_secrets_s)
| extend CertAccessRemoved = tostring(removedAccessPolicy_Permissions_certificates_s)
| extend KeyAccessAdded = tostring(addedAccessPolicy_Permissions_keys_s)
| extend SecretAccessAdded = tostring(addedAccessPolicy_Permissions_secrets_s)
| extend CertAccessAdded = tostring(addedAccessPolicy_Permissions_certificates_s)
| where isnotempty( UserObjectAdded) or isnotempty( UserObjectRemoved)
| project ResourceType, OperationName, ResultType, id_s, Actor, UserObjectAdded, UserObjectRemoved, KeyAccessAdded, SecretAccessAdded, CertAccessAdded, KeyAccessRemoved, SecretAccessRemoved, CertAccessRemoved