Azure Key Vault Diagnostic Logs

m365-azureCloud InfrastructureCloud Admin PortalSIEM / Log Aggregator

Location

Azure Portal > Key Vault > Diagnostic settings > AuditEvent logs in Log Analytics workspace

Description

Key Vault diagnostic logs capturing every operation on secrets, keys, and certificates including Get, Set, Delete, Backup, Restore, and access policy changes with caller identity, IP address, and result status.

Forensic Value

Key Vault logs prove which secrets and keys were actually read during a breach, not just which were accessible by permissions. SecretGet operations with timestamps identify exactly when an attacker retrieved database connection strings, API keys, or certificates. Comparing actual access against RBAC permissions distinguishes between potential and confirmed data exposure. Access policy modifications reveal if the attacker granted themselves additional Key Vault permissions.

Tools Required

Azure PortalLog Analytics (KQL)Azure CLIPowerShell (Az.KeyVault)

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical