Azure Key Vault Diagnostic Logs
Cloud & SaaSCloud InfrastructureCloud Control PlaneSIEM / Log Aggregator
Location
Azure Portal > Key Vault > Diagnostic settings > AuditEvent logs in Log Analytics workspaceDescription
Key Vault diagnostic logs capturing every operation on secrets, keys, and certificates including Get, Set, Delete, Backup, Restore, and access policy changes with caller identity, IP address, and result status.
Forensic Value
Key Vault logs prove which secrets and keys were actually read during a breach, not just which were accessible by permissions. SecretGet operations with timestamps identify exactly when an attacker retrieved database connection strings, API keys, or certificates. Comparing actual access against RBAC permissions distinguishes between potential and confirmed data exposure. Access policy modifications reveal if the attacker granted themselves additional Key Vault permissions.
Tools Required
Azure PortalLog Analytics (KQL)Azure CLIPowerShell (Az.KeyVault)
Collection Commands
KQL
AzureDiagnostics | where ResourceProvider == "MICROSOFT.KEYVAULT" | where TimeGenerated > ago(30d) | where OperationName == "SecretGet" or OperationName == "SecretSet" | project TimeGenerated, CallerIPAddress, identity_claim_upn_s, OperationName, id_s, ResultType
az CLI
az monitor diagnostic-settings list --resource $(az keyvault show --name <vault-name> --query id -o tsv) --output json > kv_diagnostic_settings.json
PowerShell
Get-AzKeyVaultSecret -VaultName <vault-name> | ForEach-Object { Get-AzKeyVaultSecret -VaultName <vault-name> -Name $_.Name -IncludeVersions | Select-Object Name, Version, Created, Updated } | Export-Csv kv_secrets_inventory.csv -NoTypeInformationMITRE ATT&CK Techniques
T1552.001T1530T1098T1580T1078.004