Microsoft Defender for Key Vault

Published Nov 03 2020 05:56 PM 8,823 Views
Microsoft

 azure defender for Key Vault.jpg

 

We are excited to share that Microsoft Defender for Key Vault has been generally available since Microsoft Ignite on September 22nd, 2020! We have prepared this blog to go over the following topics: 

  • Introduction to Microsoft Defender for Key Vault 
  • How to enable Microsoft Defender for Key Vault 
  • How to find alerts of Microsoft Defender for Key Vault 
  • How to respond to alerts 
  • How to provide feedback on alerts

 

Microsoft Defender for Key Vault

Microsoft Key Vault is a cloud service for securely storing and accessing secure data like secrets, keys, certificates, and passwords. By compromising this data, attackers may be able to gain unauthorized access or perform lateral movement to breach other resources in the customers' environment. 

 

Microsoft Defender for Key Vault is an Azure-native threat protection service, which detects unusual and potentially harmful access to Key Vault accounts. It provides an additional layer of security intelligence for the keys, secrets and certificates stored in the Microsoft Key Vault by alerting you to suspicious or malicious access. This layer of security allows you to address threats without being a security expert, and without the need to manage third-party security monitoring systems. 

 

When anomalous activities occur, Microsoft Defender for Key Vault shows alerts and optionally sends them via email to relevant members of your organization. These alerts include the details of suspicious activity and recommendations on how to investigate and remediate the threats. 

 

More information about Microsoft Defender for Key Vault is available here. 

 

How to enable Microsoft Defender for Key Vault

Microsoft Defender for Key Vault can be enabled from Microsoft Defender for Cloud, or from Key Vault. The pricing information is available here. 

 

Method 1: Enable from Microsoft Defender for Cloud

  1. Go to Microsoft Defender for Cloud from Azure Portal. 
  2. From Security Center's main menu, select Environment settings under Management. environmentsettings.png

     

     
     
  3. Select the subscription that you want to enable Microsoft Defender for Key Vault. 
  4. Select Defender Plans to upgrade.  keyvault.png

     

     

  5. Switch Microsoft Defender plan for Key Vault to On. 
  6. Select Save. 

 

Method 2: Enable from Key Vault 

  1. Go to the target Key Vault from Azure Portal. 
  2. From Key Vault's main menu, select Security under Settings.  kv.PNG

     

  3. Under Security alerts, select Try it free for the first 30 days.  
  4. Select the subscription that you want to enable Azure Defender for Key Vault.   kv_upgrade.PNG

     

  5. Select Upgrade. 

 

How to find alerts of Azure Defender for Key Vault

The Azure Defender for Key Vault alerts show up on Key Vault and Security Center. 

  1. View alerts on the Key Vault's Security page 
    1. Go to the target Key Vault from Azure Portal.   
    2. From Key Vault's main menu, select Security under Settings.  kv_alert.PNG 
  2. View alerts in the Security Center's Security alerts page. 
    1. Go to the Security Center from Azure Portal.   
    2. From Security Center’s main menu, select Security alerts under General. ASC_alert.PNG

        

  3. Details on the alert page.alert.PNG

     

Here is the list of alerts that you might get from the Azure Defender for Key Vault.  

 

How to respond to alerts

Azure Defender for Key Vault is designed to help identify suspicious activity caused by stolen credentials. Do not dismiss the alert simply because you recognize the user or application. Contact the owner of the application or the user and verify the activity was legitimate. 

 

When you get an alert from Azure Defender for Key Vault, we recommend following this document.

 

How to provide feedback on alerts

Please provide your feedback for each alert on the alert page, which provides valuable input for the algorithm developers in the team to improve the quality of the alerts in the future. This feedback will not directly affect the results of the algorithm and will only be used to make long-term improvements. 

 

alert_feedback.png

 

  1. Select the answer to the question Was this useful?. 
  2. Choose the Reason which best matches your scenario. 
  3. Provide Additional feedback to help the service team understand more about the reason why it is useful or not. 
  4. Select Microsoft may email me about my feedback to allow the service team to follow up by email. 
  5. Select Submit. 

You can create alert suppression rules to suppress unwanted security alerts from Azure Defender. Learn more in Suppress alerts from Azure Defender. 

6 Comments
Co-Authors
Version history
Last update:
‎Nov 05 2021 10:05 AM
Updated by: