Azure Key Vault Modified

Last updated 24 days ago on 2025-07-09

Created 5 years ago on 2020-08-31

About

Identifies modifications to a Key Vault in Azure. The Key Vault is a service that safeguards encryption keys and secrets like certificates, connection strings, and passwords. Because this data is sensitive and business critical, access to key vaults should be secured to allow only authorized applications and users. This is a New Terms rule that detects when this activity hasn't been seen by the user in a specified time frame.

Tags

Domain: CloudDomain: IdentityData Source: AzureData Source: Azure Activity LogsTactic: ImpactUse Case: Configuration AuditLanguage: kuery

Severity

low

Risk Score

MITRE ATT&CK™

Impact (TA0040)(opens in a new tab or window)

False Positive Examples

Key vault modifications may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Key vault modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: New Terms Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: filebeat-*logs-azure.activitylogs-*
Related Integrations: azure(opens in a new tab or window)
Query

event.dataset: "azure.activitylogs"
    and azure.activitylogs.operation_name: MICROSOFT.KEYVAULT/VAULTS/*
    and event.outcome:(Success or success)

Install detection rules in Elastic Security

Detect Azure Key Vault Modified in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).