Following on from my previous blog post (http://blogs.recneps.net/post/Setting-up-Azure-Key-Vault-with-Audit-logging) which explains how to set up Azure key vault with logging enabled, this post explains how to access the details of these logs and also to create an alert so you can see if someone is accessing the key vault from an unknown ip address (for example)
Open the Azure portal and navigate to the Resource Groups section and pick the resource group that we configured last time which contains the key vault and log analytics resources
Click your log analytics item, to open Log Analytics.
You can then select Log Search
This screen allows you to create your own query or select from existing ones.
Selecting “All Collected Logs” will show you the logs for the last day. I’ve highlighted the areas where you can change the time period, see the query and also click on Advanced Analytics to give a richer environment for analysing your logs.
If you want to query just for the Key Vault Audit logs then you can use the following query:
search * | where Category=="AuditEvent"
This will default to a list view, but clicking the Table button will format the data in an easier to read table.
You can sort and filter on the column headers. This can also be achieved using the order by clause as follows:
search * |where Category=="AuditEvent" | order by TimeGenerated desc
A blog post discussing the query language can be found here
We are interested in all calls where someone has tried to access a Secret from the key vault. For that we are looking for an AuditEvent with an OperationName of SecretGet. If we also want to restrict the columns we retrieve then you can use “project” e.g.
search * | where Category=="AuditEvent" and OperationName == "SecretGet"
| order by TimeGenerated desc
| project TimeGenerated, OperationName, CallerIPAddress, ResultSignature, requestUri_s
Now we are familiar with writing queries we can look at alerting. I’d like to set up an alert when the key vault is access from an IP Address other than the one where my application is running. This can be done as follows:
search * | where Category=="AuditEvent" and CallerIPAddress != "220.127.116.11"
This ip address is actually the Azure Portal and is shown when you view the resource group that contains the key vault.I’m using this ip address so that I will actually get an alert (at the wrong time) when my application runs
Click New Alert Rule
The following screen should appear
The Alert Target should be the Log Analytics we’ve been using and the Target Criteria (when clicked) should show the query we’ve just written
We need to configure the rule for when this alert should be triggered. I’m interested when at least 1 attempt has been made in the last 5 minutes to access the Key Vault from an unknown location, so I set the threshold to be zero and click Done. We’ve now configured the logic to determine when the event is fired. Now we need to say what we want to happen when it fires.Firstly we need to give the alert a name and description
Now we need to configure how we are alerted. For this you need to create an action group. An action group allows you to define a collection of activities that will happen when the alert is fired. Click New Action Group
Action Types can be any of the following:
An action group can have multiple actions and you can select both email and SMS in a single action.Once you have created your Action Group you need to select in then click “Create alert rule”
Your alert is now set up and running. You can view/edit alerts by selecting Monitor in the Azure Portal
then click Alerts (preview), you will be able to see the alerts that have fired.
Click Manage Rules to edit the alert.
When the alert is fired I will get an email containing the details of the alert.
Log analytics is a powerful tool and whilst this series of posts has been related to auditing of Key Vault we can use log analytics for a wide variety of log sources such as Application Insights. We can also use the same mechanism for alerting to these other log sources,