Azure Key Vault solution for Sentinel
Solution: Azure Key Vault
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
| Attribute | Value |
|---|---|
| Publisher | Microsoft Corporation |
| Support Tier | Microsoft |
| Support Link | https://support.microsoft.com |
| Categories | domains |
| Version | 3.0.3 |
| Author | Microsoft - support@microsoft.com |
| First Published | 2022-05-02 |
| Solution Folder | Azure Key Vault |
| Marketplace | Azure Marketplace · Popularity: 🟢 High (92%) |
Azure Key Vault Solution for Microsoft Sentinel enables you to stream Azure Key Vault diagnostics logs into Microsoft Sentinel, allowing you to continuously monitor activity in all your instances.
Contents
Data Connectors
This solution provides 1 data connector(s):
🔶 CLv1: This connector ingests into a table that uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g.
_s,_d,_b,_t,_g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.
Tables Used
This solution uses 1 table(s):
| Table | Used By Connectors | Used By Content |
|---|---|---|
AzureDiagnostics 🔶 |
Azure Key Vault | Analytics, Workbooks |
Internal Tables
The following 2 table(s) are used internally by this solution's content items:
| Table | Used By Connectors | Used By Content |
|---|---|---|
SecurityAlert |
- | Workbooks |
SecurityIncident |
- | Workbooks |
🔶 CLv1: This table uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g.
_s,_d,_b,_t,_g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.
Content Items
This solution includes 5 content item(s):
| Content Type | Count |
|---|---|
| Analytic Rules | 4 |
| Workbooks | 1 |
Analytic Rules
| Name | Severity | Tactics | Tables Used |
|---|---|---|---|
| Azure Key Vault access TimeSeries anomaly | Low | CredentialAccess | AzureDiagnostics |
| Mass secret retrieval from Azure Key Vault | Low | CredentialAccess | AzureDiagnostics |
| NRT Sensitive Azure Key Vault operations | Low | Impact | AzureDiagnostics |
| Sensitive Azure Key Vault operations | Low | Impact | AzureDiagnostics |
Workbooks
| Name | Tables Used |
|---|---|
| AzureKeyVaultWorkbook | AzureDiagnosticsInternal use: SecurityAlertSecurityIncident |
Release Notes
| Version | Date Modified (DD-MM-YYYY) | Change History |
|---|---|---|
| 3.0.3 | 25-10-2024 | Updated description of CreateUi and Analytic Rule |
| 3.0.2 | 14-02-2024 | Updated Entity Mapping for KeyVaultSensitiveOperations and NRT_KeyVaultSensitiveOperations Analytic Rules to render the GUID information correctly |
| 3.0.1 | 01-02-2024 | Updated ObjectGuid Identifier with Name (KeyvaultMassSecretRetrieval) Analytic Rule to render the GUID information correctly |
| 3.0.0 | 03-01-2024 | Added field ResourceId in (KeyvaultMassSecretRetrieval) Analytic Rule for proper Entity Mapping |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊