Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
This query identifies instances where a user is added and subsequently removed from an Azure Key Vault access policy within a short duration, which could indicate attempts to credential access and persistence.
| Attribute | Value |
|---|---|
| Type | Hunting Query |
| Solution | Cloud Service Threat Protection Essentials |
| ID | 8eff7055-9138-4edc-b8f0-48ea27e23c3c |
| Tactics | CredentialAccess |
| Techniques | T1555 |
| Required Connectors | AzureKeyVault |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Selection Criteria | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|---|
AzureDiagnostics 🔶 |
ResourceType == "VAULTS" |
? | ✗ | ? |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
↑ Back to Hunting Queries · Back to Cloud Service Threat Protection Essentials