SOLVED

How to block IPs trying to hit Key Vaults?

%3CLINGO-SUB%20id%3D%22lingo-sub-2866233%22%20slang%3D%22en-US%22%3EHow%20to%20block%20IPs%20trying%20to%20hit%20Kay%20Vaults%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2866233%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20an%20alert%20-%26nbsp%3B%3CSPAN%3EMass%20secret%20retrieval%20from%20Azure%20Key%20Vault%20-%20for%20an%20external%20IP%20that%20is%20trying%20to%20access%20out%20key%20vaults%20over%20and%20over.%20When%20I%20check%20the%20Azure%20Key%20Vault%20Security%20workbook%20and%20look%20under%20the%20'%3CSPAN%20class%3D%22%22%3EAnalytics%20over%20Key%20Vault%20events'%20tab%20and%20then%20go%20to%20Event%20Analysis%20%26gt%3B%20Failed%20events%20%26gt%3B%20Activity%26nbsp%3Bby%20Caller%20IP%2C%20I%20see%20this%20IP%20at%20the%20top%20of%20the%20list%20basically%20launching%20continuous%20key%20vault%20requests.%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CSPAN%20class%3D%22%22%3EHow%20do%20I%20go%20about%20blocking%20this%20IP%3F%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CSPAN%20class%3D%22%22%3EThx%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2867560%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20block%20IPs%20trying%20to%20hit%20Kay%20Vaults%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2867560%22%20slang%3D%22en-US%22%3EHave%20you%20enabled%20firewall%20for%20key%20vault%20it's%20not%20enabled%20by%20default%3CBR%20%2F%3ERef%20the%20below%20article%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fkey-vault%2Fgeneral%2Fnetwork-security%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fkey-vault%2Fgeneral%2Fnetwork-security%3C%2FA%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E
Contributor

I have an alert - Mass secret retrieval from Azure Key Vault - for an external IP that is trying to access out key vaults over and over. When I check the Azure Key Vault Security workbook and look under the 'Analytics over Key Vault events' tab and then go to Event Analysis > Failed events > Activity by Caller IP, I see this IP at the top of the list basically launching continuous key vault requests.

 

How do I go about blocking this IP?

 

Thx

2 Replies
best response confirmed by Jeff Walzer (Contributor)
Solution
Have you enabled firewall for key vault it's not enabled by default
Ref the below article https://docs.microsoft.com/en-us/azure/key-vault/general/network-security

@Chandrasekhar_Arya - Thx again for the reply and info as I needed to allow access only from selected networks