Visibility of Azure key vault activity in Sentinel Azure Key Vault Workbook

Published 03-02-2021 08:42 AM 2,384 Views
Microsoft

Azure key vaults safeguard cryptographic encryption keys, certificates, and other secrets like connections strings and passwords used by cloud apps and services. Securing key vaults, is therefore, of utmost importance. Azure Defender for Key Vault monitors key vault activity and alerts when suspicious and malicious behavior is observed.

Now you can get further insights and visibility on your key vault activity using the new Azure Key Vault Workbook in Sentinel. The workbook allows you to visualize alerts from Azure Defender and monitor its coverage across your Sentinel workspaces. In addition, it provides security insights from the activity logs. These insights include baselines for key vault access and anomalous deviations from them, as well as event and operation analysis over time. The analysis allows you to inspect failed events, caller IPs, active users & services, as well as their operations. You can further investigate notable and suspicious entities and their activities using the direct links provided in the workbook to relevant incidents involving these entities. 

We recommend checking this workbook on a periodic basis, in which you can check anomalous behavior on your key vaults and drilling down to validate that the behavior is legitimate or not. In addition, we recommend checking the workbook when you see a key vault being involved in an incident. In such a case, we recommend filtering the workbook on the specific key vault to create an understanding on its usage and the actions on it.

Configuration

To get full benefit of the workbook, enable audit events in the diagnostic settings of the key vault and make sure that Azure Defender alerts are ingested in Azure Sentinel.

To enable Azure Defender for Key Vault, go to Azure Security Center --> Pricing & Settings --> Select the relevant subscription and make sure that key vault plan is enabled:

 

figure1.png

To ingest the security alerts to Sentinel, go to Sentinel --> Data connectors --> Azure Defender

 

figure2.PNG

To enable Diagnostic logs for Key Vaults, go to your key vault --> Diagnostic setting --> Add diagnostic setting --> select AuditEvent log and Send to Log Analytics workspace

 

figure3.PNG

figure4.PNG

Once the diagnostic logs are injected in the workspace, you can see the data in the AzureDiagnostics table.

 

figure5.PNG

The workbook leverages this data as well as the SecurityAlert table.

 

Usage

The workbook comprises three main tabs: Azure Defender for Key Vault alerts, Analytics over Key Vault events, and Key Vault activity monitoring. In the first tab, you can see the coverage of Azure Defender on your chosen subscriptions and key vaults, as well as onboard subscriptions to Azure Defender.

 

figure6.png

 

Following, you can see the Azure Defender alerts, their distribution over the various key vaults, and the details of each alert. These details include a link to the alert page in Azure Security Center and a link to the Incident page in Sentinel, from which you can initiate an investigation. In addition, for each alert you can see a graph of all entities involved in the alert.

 

figure7.png

figure8.png

figure9.png

 

 

 

On the second tab, you can see the analytics of the key vault activities, starting with the coverage to diagnostic logs reporting for the selected key vaults and onboarding those that do not log activity to log analytics.

 

figure10.png

 

Following on, you can see baselines of activity volume on each key vault and an anomaly score based on time series anomaly detection.

 

figure11.png

 

Further in event analysis, you can inspect notable events and their distribution based on key vault, caller IP, user/service identity, and operation type. For each such entity, you can also find all other incidents that were triggered and are related to it. Each such incident can then be investigated by clicking on its link and navigating to the incident page.

 

figure12.png

 

Additionally, you can hunt for sensitive operations, e.g., delete, purge, and backup operations:

 

figure13.png

 

As well as look for mass secret dumps based on a threshold and monitoring period of your choice:

 

figure14.png

In addition, you can inspect the operations on key vaults and monitor their relations for spikes and other suspicious behaviors in the operation analysis section. You can inspect the type of activity performed on a key vault or a set of key vaults over time. You can choose to look at either secret, key, or certificate operations, as well as filter on users or services performing the activity.

 

figure15.png

 

On the third tab you can inspect the monitoring metrics that can be found in the Azure Monitor for Key Vault workbook:

 

figure16.png

 

The workbook was developed with the assistance of: Lior Arviv, Hesham Saad, Yaniv Shasha, and Yossi Weizman.

Co-Authors
Version history
Last update:
‎Feb 16 2021 02:37 PM
Updated by: