question

PonugotiNarendraGLOBALV-1301 avatar image
0 Votes"
PonugotiNarendraGLOBALV-1301 asked vipulsparsh-MSFT answered

Ingest keyvault ,application logs

We are planning to ingest azure Keyvault and application logs to Sumo logic .Can you Please specify what type of logs we will get from Kayvault and application logs ? what types of use cases we can implement to detect suspicious activities. Please help

azure-key-vaultazure-security-centermicrosoft-sentinelazure-webapps-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

vipulsparsh-MSFT avatar image
0 Votes"
vipulsparsh-MSFT answered

@PonugotiNarendraGLOBALV-1301 Thanks for reaching out.
Once you have setup the path from Azure to Sumo logic, the key vault can provide Alerts, Input data errors , usage and diagnostic logs.

  • You can utilize it for various login scenarios.

  • Failed attempts

  • You can look for delete, purge or backup operations.

We can tell with reference to Azure sentinel, what all visibility you can get from Key vault using same set of logs :
https://techcommunity.microsoft.com/t5/azure-sentinel/visibility-of-azure-key-vault-activity-in-sentinel-azure-key/ba-p/2140751

This gets enhanced when using Azure security center + Azure sentinel.


If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

PonugotiNarendraGLOBALV-1301 avatar image
0 Votes"
PonugotiNarendraGLOBALV-1301 answered

What all Pre alerts configured in Azure security center for key vault .Do you have any specific set of use cases for Azure sentinel


We don't have any web application firewall to monitor application logs. any use cases specific to applications??

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

vipulsparsh-MSFT avatar image
0 Votes"
vipulsparsh-MSFT answered

@PonugotiNarendraGLOBALV-1301 Following are the inbuilt Alerts configured for Key vault under Azure Defender (part of Azure security Center). This table shows the alert type along with the MITRE tactics status.


101095-image.png

101096-image.png


While security center makes you aware about that. Azure sentinel can help you visualize the problem and understand root cause and different entities involed, it also helps you automate the incident and response should there be any need.

Azure Sentinel uses AI and Microsoft's threat intelligence stream to detect threats across your environment, correlate alerts into incidents, use deep investigation tools to find the scope and root cause and access powerful hunting search and query tools.

It can build you complete network map for related involved entities and help in investigation :
101134-image.png




image.png (120.7 KiB)
image.png (82.3 KiB)
image.png (127.1 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.