question

Konsgn-0883 avatar image
0 Votes"
Konsgn-0883 asked SaurabhSharma-msft commented

Consistent Hits of VaultGet trigger alerts even when nothing is calling KeyVault

Hello,

I am seeing about daily events calling VaultGet with different requestURI_s regardless of KeyUsage. This triggers my email alert and I am starting to suspect foul play.

Is there something that would cause this activity? Do I have a potential security breach? If it is expected behavior, how should I setup email triggering so that any activity is reported without triggering on these daily detections?

Thank you!

azure-key-vault
· 6
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @konsgn-0883,

Thanks for using Microsoft Q&A !!
Is logging enabled on your Azure Key Vault ? Please try to enable it so that you can know what is triggering these events as this not an expected behavior as per my understanding of the issue.
If you do not get much information then you probably need to raise a support ticket so that an engineer can look into your environment. Please let me know if you do not have a support plan and needs help creating a support ticket.

Thanks
Saurabh


0 Votes 0 ·

@konsgn-0883 Please let me know if you are still having issues.

Thanks
Saurabh

0 Votes 0 ·

Yes, logging is enabled, Email on hits over 0 in a 6 hour interval have also been coming in routinely.

The hits in question come from various locations, but seem to have a consistent origin of management.azure.com. What is doing that?

Thank you,
Konstantin

0 Votes 0 ·

Hi @konsgn-0883,

Can you please share a screenshot of what exactly you are seeing ? Also, you should be able to see who or what is calling your Key Vault by referencing the Identity parameter. (See screenshot below)
96038-image.png

"identity": {"claim":{"http://schemas.microsoft.com/identity/claims/objectidentifier":"d9da5048-2737-4770-bd64-XXXXXXXXXXXX","http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn":"live.com#username@outlook.com","appid":"1950a258-227b-4e31-a9cf-XXXXXXXXXXXX"}},

Please refer to the documentation - Interpret your Key Vault logs.

management.azure.com endpoint is used while calling the key vault.

Thank
Saurabh

0 Votes 0 ·
image.png (229.5 KiB)

Also, If you have diagnostics enabled you can check the IP address for whoever is accessing the key vault. Please refer to this blog


0 Votes 0 ·
Show more comments

0 Answers