LoFP / key vault being modified or deleted may be performed by a system administrator.

Techniques

Sample rules

Azure Key Vault Modified or Deleted

source: sigma
technicques:
- t1552
- t1552.001

Description

Identifies when a key vault is modified or deleted.

Detection logic

condition: selection
selection:
  operationName:
  - MICROSOFT.KEYVAULT/VAULTS/WRITE
  - MICROSOFT.KEYVAULT/VAULTS/DELETE
  - MICROSOFT.KEYVAULT/VAULTS/DEPLOY/ACTION
  - MICROSOFT.KEYVAULT/VAULTS/ACCESSPOLICIES/WRITE