This alert detects whenever there is a request to delete Azure Key Vault. The Key Vault contains object keys, secrets, and certificates. Impact Azure key vaults are an attractive target for threat actors as it contains information that may allow them to gain access to sensitive keys/passwords and certificates that can further the attack chain - leading to persistence, lateral movement, and data collection. Malicious/accidental deletion of a key vault can lead to permanent data loss. The unavailability of a Key Vault can cause immediate loss of security functions (authentication, validation, verification, non-repudiation, etc.) Mitigation Check if the user is authorized to perform the action and if the activity is legitimate. If not, investigate further. Administrators can also enable purge protection and soft-delete to prevent unauthorized users from permanently deleting the key vault. This will allow them to recover deleted vaults and vault objects. MITRE Tactic: TA0040 MITRE Technique: T1531

This alert detects when the 'secret near expiry' event is published. Key Vault integration with Event Grid allows users to be notified when the status of a secret stored in the key vault has changed. A status change is defined as a secret that is about to expire (30 days before expiration), a secret that has expired, or a secret that has a new version available. Notifications for all three secret types (key, certificate, and secret) are supported. Impact Azure key vaults are an attractive target for threat actors as it contains information that may allow them to gain access to sensitive keys/passwords and certificates that can further the attack chain - leading to persistence, lateral movement, and data collection. If a secret is not rotated before it expires, legit users might not be able to use system functionalities after the secrets expire and thus can impact normal business operations. Mitigation Check the secret expiry date and notify the administrators to rotate it before it expires by creating a new secret version. Please see the below link to know more about Azure Key Vault secrets: https://learn.microsoft.com/en-us/azure/key-vault/secrets/about-secrets MITRE Tactic: TA0007 MITRE Technique: T1201

This alert detects whenever a key of any type from the Azure key vault is deleted. The delete key operation cannot be used to remove individual versions of a key. This operation removes the cryptographic material associated with the key, which means the key is not usable for Sign/Verify, Wrap/Unwrap, or Encrypt/Decrypt operations. This operation requires the keys/delete permission. Impact Azure key vaults are an attractive target for threat actors as it contains information that may allow them to gain access to sensitive keys/passwords and certificates that can further the attack chain - leading to persistence, lateral movement, and data collection. Malicious deletion of a key can lead to permanent data loss. Mitigation Check if the user is authorized to perform the action and if the activity is legitimate. If not, investigate further. Administrators can also enable purge protection to prevent unauthorized users from permanently deleting the keys. MITRE Tactic: TA0040 MITRE Technique: T1531

This alert detects whenever a key vault in a specified subscription is updated. This includes all the updates and patch requests to the existing key vault. The Azure Key Vault is used for managing keys, certificates, and passwords. Impact Azure key vaults are an attractive target for threat actors as it contains information that may allow them to gain access to sensitive keys/passwords and certificates that can further the attack chain - leading to persistence, lateral movement, and data collection. A threat actor could update/modify azure key vault permissions, delete keys/secrets, add a new key to the vault and carry out further malicious activities. Mitigation Check with the user if they are aware of the activity. If the user is not aware of the activity and they are not authorized to update the vault, revert the action and investigate further. For more details check the key vault properties updated in the logs. MITRE Tactic: TA0003 MITRE Technique: T1098

This rule detects if there are no logs in the last 4 hours for Azure Key Vault in the customer account. Note- This alert should configured with relevant app & subsystem. Impact Disabling logging is a tactic that adversaries might employ as part of various MITRE ATT&CK techniques to avoid detection, cover their tracks, or impede incident response investigations. Mitigation Address logging concerns to ensure comprehensive monitoring within the Coralogix SIEM system. MITRE Tactic: TA0005 MITRE Technique:T1562

This alert detects when the 'certificate near expiry' event is published. Key Vault integration with Event Grid allows users to be notified when the status of a secret stored in the key vault has changed. A status change is defined as a secret that is about to expire (30 days before expiration), a secret that has expired, or a secret that has a new version available. Notifications for all three secret types (key, certificate, and secret) are supported. Impact Azure key vaults are an attractive target for threat actors as it contains information that may allow them to gain access to sensitive keys/passwords and certificates that can further the attack chain - leading to persistence, lateral movement, and data collection. If a certificate expires, it could impact normal business operations and should be renewed as soon as possible. Mitigation Check the certificate expiry date and notify the administrators to renew it before it expires. Please see the below link to know more about renewing Azure Key Vault Certificates: https://learn.microsoft.com/en-us/azure/key-vault/certificates/overview-renew-certificate MITRE Tactic: TA0042 MITRE Technique: T1588 MITRE Sub-Technique: 004

This alert detects when the 'key near expiry' event is published. Key Vault integration with Event Grid allows users to be notified when the status of a secret stored in the key vault has changed. A status change is defined as a secret that is about to expire (30 days before expiration), a secret that has expired, or a secret that has a new version available. Notifications for all three secret types (key, certificate, and secret) are supported. Impact Azure key vaults are an attractive target for threat actors as it contains information that may allow them to gain access to sensitive keys/passwords and certificates that can further the attack chain - leading to persistence, lateral movement, and data collection. Mitigation Check the key expiry date and notify the administrators to rotate it by generating a new key version before it expires. Please see the below link to know more about key rotation in Azure Key Vault: https://learn.microsoft.com/en-us/azure/key-vault/keys/how-to-configure-key-rotation MITRE Tactic: TA0009 MITRE Technique: T1530

This alert detects whenever there is an attempt to list certificates in a specified key vault. The successful action returns the set of certificate resources in the specified key vault. This operation requires the certificates/list permission. When Azure Key Vault creates the certificate, it creates a related private key and password. The password is stored as an Azure Secret while the private key is stored as an Azure Key. Impact Azure key vaults are an attractive target for threat actors as it contains information that may allow them to gain access to sensitive keys/passwords and certificates that can further the attack chain - leading to persistence, lateral movement, and data collection. By listing certificates in a vault a threat actor can get the names of the secrets and delete the certificates to disrupt normal business operations. Mitigation Check if the user is aware of the activity. If not, investigate further for any sign of infection. Please see the below link to follow the best practices for using Azure Key Vaults: https://learn.microsoft.com/en-us/azure/key-vault/general/best-practices MITRE Tactic: TA0007 MITRE Technique: T1082