LoFP LoFP / key being modified or deleted may be performed by a system administrator.

Techniques

Sample rules

Azure Keyvault Key Modified or Deleted

Description

Identifies when a Keyvault Key is modified or deleted in Azure.

Detection logic

condition: selection
selection:
  operationName:
  - MICROSOFT.KEYVAULT/VAULTS/KEYS/UPDATE/ACTION
  - MICROSOFT.KEYVAULT/VAULTS/KEYS/CREATE
  - MICROSOFT.KEYVAULT/VAULTS/KEYS/CREATE/ACTION
  - MICROSOFT.KEYVAULT/VAULTS/KEYS/IMPORT/ACTION
  - MICROSOFT.KEYVAULT/VAULTS/KEYS/RECOVER/ACTION
  - MICROSOFT.KEYVAULT/VAULTS/KEYS/RESTORE/ACTION
  - MICROSOFT.KEYVAULT/VAULTS/KEYS/DELETE
  - MICROSOFT.KEYVAULT/VAULTS/KEYS/BACKUP/ACTION
  - MICROSOFT.KEYVAULT/VAULTS/KEYS/PURGE/ACTION