Excessive Secret or Key Retrieval from Azure Key Vault
Identifies excessive secret or key retrieval operations from Azure Key Vault. This rule detects when a user principal retrieves secrets or keys from Azure Key Vault multiple times within a short time frame, which may indicate potential abuse or unauthorized access attempts. The rule focuses on high-frequency retrieval operations that deviate from normal user behavior, suggesting possible credential harvesting or misuse of sensitive information.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2025/07/10"
3integration = ["azure"]
4maturity = "production"
5updated_date = "2025/07/24"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies excessive secret or key retrieval operations from Azure Key Vault. This rule detects when a user principal
11retrieves secrets or keys from Azure Key Vault multiple times within a short time frame, which may indicate potential
12abuse or unauthorized access attempts. The rule focuses on high-frequency retrieval operations that deviate from normal
13user behavior, suggesting possible credential harvesting or misuse of sensitive information.
14"""
15false_positives = [
16 """
17 Service accounts or applications that frequently access Azure Key Vault for configuration or operational purposes
18 may trigger this rule.
19 """,
20 """
21 Automated scripts or processes that retrieve secrets or keys for legitimate purposes, such as secret rotation or
22 application configuration, may also lead to false positives.
23 """,
24 """
25 Security teams performing routine audits or assessments that involve retrieving keys or secrets from Key Vaults may
26 trigger this rule if they perform multiple retrievals in a short time frame.
27 """,
28]
29from = "now-9m"
30interval = "8m"
31language = "esql"
32license = "Elastic License v2"
33name = "Excessive Secret or Key Retrieval from Azure Key Vault"
34note = """## Triage and analysis
35
36### Investigating Excessive Secret or Key Retrieval from Azure Key Vault
37
38Azure Key Vault is a cloud service that safeguards encryption keys and secrets like certificates, connection strings, and passwords. It is crucial for managing sensitive data in Azure environments. Unauthorized modifications to Key Vaults can lead to data breaches or service disruptions. This rule detects excessive secret or key retrieval operations from Azure Key Vault, which may indicate potential abuse or unauthorized access attempts.
39
40### Possible investigation steps
41- Review the `azure.platformlogs.identity.claim.upn` field to identify the user principal making the retrieval requests. This can help determine if the activity is legitimate or suspicious.
42- Check the `azure.platformlogs.identity.claim.appid` or `azure.platformlogs.identity.claim.appid_display_name` to identify the application or service making the requests. If the application is not recognized or authorized, it may indicate a potential security incident. It is plausible that the application is a FOCI compliant application, which are commonly abused by adversaries to evade security controls or conditional access policies.
43- Analyze the `azure.platformlogs.resource.name` field to determine which Key Vault is being accessed. This can help assess the impact of the retrieval operations and whether they target sensitive resources.
44- Review the `event.action` field to confirm the specific actions being performed, such as `KeyGet`, `SecretGet`, or `CertificateGet`. These actions indicate retrieval of keys, secrets, or certificates from the Key Vault.
45- Check the `source.ip` or `geo.*` fields to identify the source of the retrieval requests. Look for unusual or unexpected IP addresses, especially those associated with known malicious activity or geographic locations that do not align with the user's typical behavior.
46- Use the `time_window` field to analyze the frequency of retrieval operations. If multiple retrievals occur within a short time frame (e.g., within a few minutes), it may indicate excessive or suspicious activity.
47- Correlate the retrieval operations with other security events or alerts in the environment to identify any patterns or related incidents.
48- Triage the user with Entra ID sign-in logs to gather more context about their authentication behavior and any potential anomalies.
49
50### False positive analysis
51- Routine administrative tasks or automated scripts may trigger excessive retrievals, especially in environments where Key Vaults are heavily utilized for application configurations or secrets management. If this is expected behavior, consider adjusting the rule or adding exceptions for specific applications or user principals.
52- Legitimate applications or services may perform frequent retrievals of keys or secrets for operational purposes, such as configuration updates or secret rotation. If this is expected behavior, consider adjusting the rule or adding exceptions for specific applications or user principals.
53- Security teams may perform periodic audits or assessments that involve retrieving keys or secrets from Key Vaults. If this is expected behavior, consider adjusting the rule or adding exceptions for specific user principals or applications.
54- Some applications may require frequent access to keys or secrets for normal operation, leading to high retrieval counts. If this is expected behavior, consider adjusting the rule or adding exceptions for specific applications or user principals.
55
56### Response and remediation
57- Investigate the user principal making the excessive retrieval requests to determine if they are authorized to access the Key Vault and its contents. If the user is not authorized, take appropriate actions to block their access and prevent further unauthorized retrievals.
58- Review the application or service making the requests to ensure it is legitimate and authorized to access the Key Vault. If the application is unauthorized or suspicious, consider blocking it and revoking its permissions to access the Key Vault.
59- Assess the impact of the excessive retrieval operations on the Key Vault and its contents. Determine if any sensitive data was accessed or compromised during the retrievals.
60- Implement additional monitoring and alerting for the Key Vault to detect any further suspicious activity or unauthorized access attempts.
61- Consider implementing stricter access controls or policies for Key Vaults to limit excessive retrievals and ensure that only authorized users and applications can access sensitive keys and secrets.
62- Educate users and administrators about the risks associated with excessive retrievals from Key Vaults and encourage them to follow best practices for managing keys and secrets in Azure environments.
63"""
64references = ["https://www.inversecos.com/2022/05/detection-and-compromise-azure-key.html"]
65risk_score = 43
66rule_id = "c07f7898-5dc3-11f0-9f27-f661ea17fbcd"
67setup = """#### Required Azure Key Vault Diagnostic Logs
68
69To ensure this rule functions correctly, the following diagnostic logs must be enabled for Azure Key Vault:
70- AuditEvent: This log captures all read and write operations performed on the Key Vault, including secret, key, and certificate retrievals. These logs should be streamed to the Event Hub used for the Azure integration configuration.
71"""
72severity = "medium"
73tags = [
74 "Domain: Cloud",
75 "Domain: Storage",
76 "Domain: Identity",
77 "Data Source: Azure",
78 "Data Source: Azure Platform Logs",
79 "Data Source: Azure Key Vault",
80 "Use Case: Threat Detection",
81 "Use Case: Identity and Access Audit",
82 "Tactic: Credential Access",
83 "Resources: Investigation Guide",
84]
85timestamp_override = "event.ingested"
86type = "esql"
87
88query = '''
89from logs-azure.platformlogs-* metadata _id, _index
90
91// Filter for Azure Key Vault read operations
92| where event.dataset == "azure.platformlogs"
93 and event.action in (
94 "VaultGet",
95 "KeyGet",
96 "KeyList",
97 "KeyListVersions",
98 "KeyGetDeleted",
99 "KeyListDeleted",
100 "SecretGet",
101 "SecretList",
102 "SecretListVersions",
103 "SecretGetDeleted",
104 "SecretListDeleted",
105 "CertificateGet",
106 "CertificateList",
107 "CertificateListVersions",
108 "CertificateGetDeleted",
109 "CertificateListDeleted",
110 "CertificatePolicyGet",
111 "CertificateContactsGet",
112 "CertificateIssuerGet",
113 "CertificateIssuersList"
114 )
115
116// Truncate timestamps into 1-minute windows
117| eval Esql.time_window_date_trunc = date_trunc(1 minute, @timestamp)
118
119// Aggregate identity, geo, resource, and activity info
120| stats
121 Esql_priv.azure_platformlogs_identity_claim_upn_values = values(azure.platformlogs.identity.claim.upn),
122 Esql.azure_platformlogs_identity_claim_upn_count_distinct = count_distinct(azure.platformlogs.identity.claim.upn),
123 Esql.azure_platformlogs_identity_claim_appid_values = values(azure.platformlogs.identity.claim.appid),
124 Esql.azure_platformlogs_identity_claim_objectid_values = values(azure.platformlogs.identity.claim.objectid),
125
126 Esql.source_ip_values = values(source.ip),
127 Esql.geo_city_values = values(geo.city_name),
128 Esql.geo_region_values = values(geo.region_name),
129 Esql.geo_country_values = values(geo.country_name),
130 Esql.source_as_organization_name_values = values(source.as.organization.name),
131
132 Esql.event_action_values = values(event.action),
133 Esql.event_count = count(*),
134 Esql.event_action_count_distinct = count_distinct(event.action),
135 Esql.azure_resource_name_count_distinct = count_distinct(azure.resource.name),
136 Esql.azure_resource_name_values = values(azure.resource.name),
137 Esql.azure_platformlogs_result_type_values = values(azure.platformlogs.result_type),
138 Esql.cloud_region_values = values(cloud.region),
139
140 Esql.agent_name_values = values(agent.name),
141 Esql.azure_subscription_id_values = values(azure.subscription_id),
142 Esql.azure_resource_group_values = values(azure.resource.group),
143 Esql.azure_resource_id_values = values(azure.resource.id)
144
145by Esql.time_window_date_trunc, azure.platformlogs.identity.claim.upn
146
147// keep relevant fields
148| keep
149 Esql.time_window_date_trunc,
150 Esql_priv.azure_platformlogs_identity_claim_upn_values,
151 Esql.azure_platformlogs_identity_claim_upn_count_distinct,
152 Esql.azure_platformlogs_identity_claim_appid_values,
153 Esql.azure_platformlogs_identity_claim_objectid_values,
154 Esql.source_ip_values,
155 Esql.geo_city_values,
156 Esql.geo_region_values,
157 Esql.geo_country_values,
158 Esql.source_as_organization_name_values,
159 Esql.event_action_values,
160 Esql.event_count,
161 Esql.event_action_count_distinct,
162 Esql.azure_resource_name_count_distinct,
163 Esql.azure_resource_name_values,
164 Esql.azure_platformlogs_result_type_values,
165 Esql.cloud_region_values,
166 Esql.agent_name_values,
167 Esql.azure_subscription_id_values,
168 Esql.azure_resource_group_values,
169 Esql.azure_resource_id_values
170
171// Filter for suspiciously high volume of distinct Key Vault reads by a single actor
172| where Esql.azure_platformlogs_identity_claim_upn_count_distinct == 1 and Esql.event_count >= 10 and Esql.event_action_count_distinct >= 2
173
174| sort Esql.time_window_date_trunc desc
175'''
176
177
178[[rule.threat]]
179framework = "MITRE ATT&CK"
180[[rule.threat.technique]]
181id = "T1555"
182name = "Credentials from Password Stores"
183reference = "https://attack.mitre.org/techniques/T1555/"
184[[rule.threat.technique.subtechnique]]
185id = "T1555.006"
186name = "Cloud Secrets Management Stores"
187reference = "https://attack.mitre.org/techniques/T1555/006/"
188
189
190
191[rule.threat.tactic]
192id = "TA0006"
193name = "Credential Access"
194reference = "https://attack.mitre.org/tactics/TA0006/"
Triage and analysis
Investigating Excessive Secret or Key Retrieval from Azure Key Vault
Azure Key Vault is a cloud service that safeguards encryption keys and secrets like certificates, connection strings, and passwords. It is crucial for managing sensitive data in Azure environments. Unauthorized modifications to Key Vaults can lead to data breaches or service disruptions. This rule detects excessive secret or key retrieval operations from Azure Key Vault, which may indicate potential abuse or unauthorized access attempts.
Possible investigation steps
- Review the
azure.platformlogs.identity.claim.upn
field to identify the user principal making the retrieval requests. This can help determine if the activity is legitimate or suspicious. - Check the
azure.platformlogs.identity.claim.appid
orazure.platformlogs.identity.claim.appid_display_name
to identify the application or service making the requests. If the application is not recognized or authorized, it may indicate a potential security incident. It is plausible that the application is a FOCI compliant application, which are commonly abused by adversaries to evade security controls or conditional access policies. - Analyze the
azure.platformlogs.resource.name
field to determine which Key Vault is being accessed. This can help assess the impact of the retrieval operations and whether they target sensitive resources. - Review the
event.action
field to confirm the specific actions being performed, such asKeyGet
,SecretGet
, orCertificateGet
. These actions indicate retrieval of keys, secrets, or certificates from the Key Vault. - Check the
source.ip
orgeo.*
fields to identify the source of the retrieval requests. Look for unusual or unexpected IP addresses, especially those associated with known malicious activity or geographic locations that do not align with the user's typical behavior. - Use the
time_window
field to analyze the frequency of retrieval operations. If multiple retrievals occur within a short time frame (e.g., within a few minutes), it may indicate excessive or suspicious activity. - Correlate the retrieval operations with other security events or alerts in the environment to identify any patterns or related incidents.
- Triage the user with Entra ID sign-in logs to gather more context about their authentication behavior and any potential anomalies.
False positive analysis
- Routine administrative tasks or automated scripts may trigger excessive retrievals, especially in environments where Key Vaults are heavily utilized for application configurations or secrets management. If this is expected behavior, consider adjusting the rule or adding exceptions for specific applications or user principals.
- Legitimate applications or services may perform frequent retrievals of keys or secrets for operational purposes, such as configuration updates or secret rotation. If this is expected behavior, consider adjusting the rule or adding exceptions for specific applications or user principals.
- Security teams may perform periodic audits or assessments that involve retrieving keys or secrets from Key Vaults. If this is expected behavior, consider adjusting the rule or adding exceptions for specific user principals or applications.
- Some applications may require frequent access to keys or secrets for normal operation, leading to high retrieval counts. If this is expected behavior, consider adjusting the rule or adding exceptions for specific applications or user principals.
Response and remediation
- Investigate the user principal making the excessive retrieval requests to determine if they are authorized to access the Key Vault and its contents. If the user is not authorized, take appropriate actions to block their access and prevent further unauthorized retrievals.
- Review the application or service making the requests to ensure it is legitimate and authorized to access the Key Vault. If the application is unauthorized or suspicious, consider blocking it and revoking its permissions to access the Key Vault.
- Assess the impact of the excessive retrieval operations on the Key Vault and its contents. Determine if any sensitive data was accessed or compromised during the retrievals.
- Implement additional monitoring and alerting for the Key Vault to detect any further suspicious activity or unauthorized access attempts.
- Consider implementing stricter access controls or policies for Key Vaults to limit excessive retrievals and ensure that only authorized users and applications can access sensitive keys and secrets.
- Educate users and administrators about the risks associated with excessive retrievals from Key Vaults and encourage them to follow best practices for managing keys and secrets in Azure environments.
References
Related rules
- Azure Key Vault Secret Key Usage by Unusual Identity
- Microsoft 365 Brute Force via Entra ID Sign-Ins
- Microsoft Entra ID Exccessive Account Lockouts Detected
- Microsoft Entra ID MFA TOTP Brute Force Attempts
- Microsoft Entra ID Sign-In Brute Force Activity