Forum Discussion
Solved
i want to monitor key vault access policy when new user is added or someone is removed
i want to monitor key vault access policy when new user is added or someone is removed using sentinel Analytics rule. can someone suggest a kusto query to monitor access policy of key vaults .
- Those events are written to the AzureDiagnostics table, so just make sure your key vaults are sending data, then something like this should work. Both adding & removing users is a VaultPatch operation, and the columns will change slightly depending if its an add or remove
AzureDiagnostics
| where ResourceType == "VAULTS"
| where OperationName == "VaultPatch"
| where ResultType == "Success"
| extend UserObjectAdded = addedAccessPolicy_ObjectId_g
| extend UserObjectRemoved = removedAccessPolicy_ObjectId_g
| extend Actor = identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_name_s
| extend KeyAccessRemoved = tostring(removedAccessPolicy_Permissions_keys_s)
| extend SecretAccessRemoved = tostring(removedAccessPolicy_Permissions_secrets_s)
| extend CertAccessRemoved = tostring(removedAccessPolicy_Permissions_certificates_s)
| extend KeyAccessAdded = tostring(addedAccessPolicy_Permissions_keys_s)
| extend SecretAccessAdded = tostring(addedAccessPolicy_Permissions_secrets_s)
| extend CertAccessAdded = tostring(addedAccessPolicy_Permissions_certificates_s)
| where isnotempty( UserObjectAdded) or isnotempty( UserObjectRemoved)
| project ResourceType, OperationName, ResultType, id_s, Actor, UserObjectAdded, UserObjectRemoved, KeyAccessAdded, SecretAccessAdded, CertAccessAdded, KeyAccessRemoved, SecretAccessRemoved, CertAccessRemoved
Those events are written to the AzureDiagnostics table, so just make sure your key vaults are sending data, then something like this should work. Both adding & removing users is a VaultPatch operation, and the columns will change slightly depending if its an add or remove
AzureDiagnostics
| where ResourceType == "VAULTS"
| where OperationName == "VaultPatch"
| where ResultType == "Success"
| extend UserObjectAdded = addedAccessPolicy_ObjectId_g
| extend UserObjectRemoved = removedAccessPolicy_ObjectId_g
| extend Actor = identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_name_s
| extend KeyAccessRemoved = tostring(removedAccessPolicy_Permissions_keys_s)
| extend SecretAccessRemoved = tostring(removedAccessPolicy_Permissions_secrets_s)
| extend CertAccessRemoved = tostring(removedAccessPolicy_Permissions_certificates_s)
| extend KeyAccessAdded = tostring(addedAccessPolicy_Permissions_keys_s)
| extend SecretAccessAdded = tostring(addedAccessPolicy_Permissions_secrets_s)
| extend CertAccessAdded = tostring(addedAccessPolicy_Permissions_certificates_s)
| where isnotempty( UserObjectAdded) or isnotempty( UserObjectRemoved)
| project ResourceType, OperationName, ResultType, id_s, Actor, UserObjectAdded, UserObjectRemoved, KeyAccessAdded, SecretAccessAdded, CertAccessAdded, KeyAccessRemoved, SecretAccessRemoved, CertAccessRemoved
AzureDiagnostics
| where ResourceType == "VAULTS"
| where OperationName == "VaultPatch"
| where ResultType == "Success"
| extend UserObjectAdded = addedAccessPolicy_ObjectId_g
| extend UserObjectRemoved = removedAccessPolicy_ObjectId_g
| extend Actor = identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_name_s
| extend KeyAccessRemoved = tostring(removedAccessPolicy_Permissions_keys_s)
| extend SecretAccessRemoved = tostring(removedAccessPolicy_Permissions_secrets_s)
| extend CertAccessRemoved = tostring(removedAccessPolicy_Permissions_certificates_s)
| extend KeyAccessAdded = tostring(addedAccessPolicy_Permissions_keys_s)
| extend SecretAccessAdded = tostring(addedAccessPolicy_Permissions_secrets_s)
| extend CertAccessAdded = tostring(addedAccessPolicy_Permissions_certificates_s)
| where isnotempty( UserObjectAdded) or isnotempty( UserObjectRemoved)
| project ResourceType, OperationName, ResultType, id_s, Actor, UserObjectAdded, UserObjectRemoved, KeyAccessAdded, SecretAccessAdded, CertAccessAdded, KeyAccessRemoved, SecretAccessRemoved, CertAccessRemoved