Azure Key Vault Secret Key Usage by Unusual Identity

Last updated 11 days ago on 2025-07-22
Created 23 days ago on 2025-07-10

About

Identifies secrets, keys, or certificates retrieval operations from Azure Key Vault by a user principal that has not been seen previously doing so in a certain amount of days. Azure Key Vault is a cloud service for securely storing and accessing secrets, keys, and certificates. Unauthorized or excessive retrievals may indicate potential abuse or unauthorized access attempts.
Tags
Domain: CloudDomain: StorageDomain: IdentityData Source: AzureData Source: Azure Platform LogsData Source: Azure Key VaultUse Case: Threat DetectionUse Case: Identity and Access AuditTactic: Credential AccessLanguage: kuery
Severity
medium
Risk Score
43
MITRE ATT&CK™

Credential Access (TA0006)(opens in a new tab or window)

False Positive Examples
Service accounts or applications that frequently access Azure Key Vault for configuration or operational purposes may trigger this rule. Automated scripts or processes that retrieve secrets or keys for legitimate purposes, such as secret rotation or application configuration, may also lead to false positives. Security teams performing routine audits or assessments that involve retrieving keys or secrets from Key Vaults may trigger this rule if they perform multiple retrievals in a short time frame.
License
Elastic License v2(opens in a new tab or window)

Definition

Rule Type
New Terms Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
filebeat-*logs-azure.platformlogs-*
Related Integrations

azure(opens in a new tab or window)

Query
event.dataset : "azure.platformlogs" and
event.outcome: "success" and
event.action : (
    "VaultGet" or
    "KeyGet" or
    "KeyList" or
    "KeyListVersions" or
    "KeyGetDeleted" or
    "KeyListDeleted" or
    "SecretGet" or
    "SecretList" or
    "SecretListVersions" or
    "SecretGetDeleted" or
    "SecretListDeleted" or
    "CertificateGet" or
    "CertificateList" or
    "CertificateListVersions" or
    "CertificateGetDeleted" or
    "CertificateListDeleted" or
    "CertificatePolicyGet" or
    "CertificateContactsGet" or
    "CertificateIssuerGet" or
    "CertificateIssuersList"
) and azure.platformlogs.identity.claim.upn: * and azure.platformlogs.properties.id: *

Install detection rules in Elastic Security

Detect Azure Key Vault Secret Key Usage by Unusual Identity in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).