Skip to content

[New Rule] Azure Key Vault Secret Key Usage by Unusual Identity #4899

New issue
New issue
Open
Task
#4900
Open
[New Rule] Azure Key Vault Secret Key Usage by Unusual Identity#4899
Task
#4900
Assignees
terrancedejesus
Labels
Domain: CloudDomain: IdentityDomain: StorageIntegration: Azureazure related rulesRule: NewProposal for new rule
@terrancedejesus

Description

@terrancedejesus
terrancedejesus
opened on Jul 10, 2025

Summary

We should add coverage that detects users/service accounts retrieve secrets, keys, or certificates from Azure Key Vault but typically do not. This may suggest account takeover (ATO) in which the adversary is accessing sensitive security credentials from Azure Key Vault. This should be a New Terms rule on the UPN itself for Azure Platform logs that contain Azure Key Vault diagnostic logs for specific retrieval operations in Key Vault.

event.dataset : "azure.platformlogs" and
event.outcome: "success" and
event.action : (
  "VaultGet" or
  "KeyGet" or
  "KeyList" or
  "KeyListVersions" or
  "KeyGetDeleted" or
  "KeyListDeleted" or
  "SecretGet" or
  "SecretList" or
  "SecretListVersions" or
  "SecretGetDeleted" or
  "SecretListDeleted" or
  "CertificateGet" or
  "CertificateList" or
  "CertificateListVersions" or
  "CertificateGetDeleted" or
  "CertificateListDeleted" or
  "CertificatePolicyGet" or
  "CertificateContactsGet" or
  "CertificateIssuerGet" or
  "CertificateIssuersList"
) and azure.platformlogs.identity.claim.upn: *

Ref: https://www.inversecos.com/2022/05/detection-and-compromise-azure-key.html

Metadata

Metadata

Assignees

Labels

Domain: CloudDomain: IdentityDomain: StorageIntegration: Azureazure related rulesRule: NewProposal for new rule

Type

Task

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions