Azure Key Vault Modified by Unusual User
This rule identifies modifications to Azure Key Vaults by unusual users, potentially leading to data breaches or service disruptions through defense evasion or impact operations.
This detection identifies modifications to Azure Key Vault, a service that safeguards encryption keys and secrets. Given the sensitivity of the data stored, access should be tightly controlled. This detection uses a new terms rule to identify when Key Vault modifications are performed by a user who hasn't been seen performing this activity within a 14-day period. This activity could indicate compromised credentials, insider threats, or misconfigured access controls. This rule helps security teams quickly identify and respond to potentially unauthorized modifications to sensitive resources within Azure environments, specifically targeting unusual user activity that deviates from established baselines. The original rule was created on 2020/08/31, and updated on 2026/04/10.
Attack Chain
- An attacker gains unauthorized access to an Azure account, potentially through credential compromise or account takeover.
- The attacker leverages the compromised account to authenticate to the Azure environment.
- The attacker enumerates available Key Vault resources within the Azure subscription.
- The attacker attempts to modify a Key Vault configuration, such as changing access policies, secrets, or encryption keys.
- The modification is logged as an Azure Activity Log event with operation name
MICROSOFT.KEYVAULT/VAULTS/*and event outcome ofSuccess. - The "new terms" rule triggers because the user performing the modification (
azure.activitylogs.identity.claims_initiated_by_user.name) is not a known user of Key Vaults, based on a 14-day history. - The attacker leverages the modified Key Vault configuration to access sensitive data or disrupt services.
- The attacker may further attempt to cover their tracks by deleting audit logs or other evidence of their activity.
Impact
Unauthorized modifications to Azure Key Vault can have significant consequences, including data breaches, service disruptions, and compliance violations. The rule has a low severity and a risk score of 21. If an attacker successfully modifies a Key Vault, they could potentially access sensitive secrets and encryption keys, leading to the compromise of critical applications and data. This could affect multiple organizations that rely on the compromised Key Vault for securing their cloud infrastructure.
Recommendation
- Deploy the Sigma rules provided in this brief to your SIEM to detect unusual Key Vault modifications.
- Investigate any alerts generated by the Sigma rules, focusing on the user (
azure.activitylogs.identity.claims_initiated_by_user.name), the Key Vault resource ID (azure.activitylogs.resource_id), and the type of modification (azure.activitylogs.operation_name). - Review Azure Key Vault access policies and ensure that only authorized users and applications have the necessary permissions.
- Enable multi-factor authentication (MFA) for all Azure accounts, especially those with access to sensitive resources like Key Vaults.
- Monitor Azure Activity Logs for any suspicious activity related to Key Vault modifications (Data Source: Azure Activity Logs).
Detection coverage 2
Azure Key Vault Modified By Unusual User
lowDetects modifications to Azure Key Vault resources by a user not previously observed performing such actions.
Azure Key Vault Deletion Detected
mediumDetects deletion of an Azure Key Vault resource, potentially indicating malicious activity or misconfiguration.
Detection queries are available on the platform. Get full rules →