Updated – 05/07/2021 – To expand the threat protections provided by Azure Defender for Key Vault, Microsoft has added a new alert (more details in this section).
Azure Key Vault is a cloud service that safeguards encryption keys and secrets like certificates, connection strings, and passwords.
This article will share with you how to use Azure Defender for Key Vault for Azure-native, advanced threat protection for Azure Key Vault, providing an extra layer of security intelligence.
Azure Security Center gives you complete visibility and control over the security of hybrid cloud workloads, including compute, network, storage, identity, and application workloads. Azure Security Center (ASC) has two mains value propositions:
- Cloud Security Posture Management (CSPM) – Help you prevent misconfiguration to strengthen your security posture for all different types of cloud workloads and resources in Azure (IaaS, PaaS, and SaaS). CSPM in Security Center is available for free to all Azure users.
- Cloud Workload Protection Platform (CWPP) – Protect against threats for servers whether they are running in Azure, on-premises, or different clouds such as Amazon AWS or Google GCP, in addition to cloud-native workloads such as Web Apps, Kubernetes, Key Vaults, as well as for SQL databases (PaaS/VM) and storage accounts. CWPP is part of the Azure Defender (formerly known as the Standard Tier plan in Azure Security Center).
Azure Defender is an evolution of the threat-protection technologies in Security Center, protecting Azure and hybrid environments. When you enable Azure Defender from the Pricing and settings area of Azure Security Center, the following Defender plans are all enabled simultaneously and provide comprehensive defenses for the compute, data, and service layers of your environment:
- Azure Defender for servers
- Azure Defender for App Service
- Azure Defender for Storage
- Azure Defender for SQL
- Azure Defender for Kubernetes
- Azure Defender for container registries
- Azure Defender for Key Vault
- Azure Defender for Azure DNS
- Azure Defender for Resource Manager
Azure Defender detects unusual and potentially harmful attempts to access or exploit your Key Vault accounts. This layer of protection allows you to address threats without being a security expert and without the need to manage third-party security monitoring systems.
Azure Defender shows alerts and optionally sends them via email to relevant members of your security operation team when anomalous activities occur. These alerts include the details of the suspicious activity and recommendations on how to investigate and remediate threats (more on this in the response to Azure Defender for Key Vault section).
To follow this article, you need to have the following:
- Azure subscription – If you don’t have an Azure subscription, you can create a free one here.
- Azure Security Center with Azure Defender enabled. Azure Defender for Key Vault is enabled per subscription under the Pricing & Settings page as shown in the figure below. At the time of this writing, the only option to enable Azure Defender for Key Vault is to enable it on the entire subscription. I hope that Microsoft will provide in the future a new way to enable Azure Defender at the Key Vault level instead of the entire subscription similar to Azure Defender for Storage accounts and SQL. Please note there is no additional cost during the 30 days trial period. After that, the price is $0.02/10K Transactions.
- You need at least one Key Vault – To create an Azure Key Vault, you can follow the instructions described here.
Simulate an alert
To trigger an alert, you need to log into the Azure Portal to simulate suspicious access to a key vault.
I have logged into another virtual machine and I have installed the TOR browser that I will use to log in to the Azure Portal to simulate access from a TOR IP into the Key Vault. TOR IP is an anonymous IP, you wouldn’t want anybody who’s trying to hide themselves looking into your secrets, so that’s something that Microsoft definitely will alert you on.
Launch the TOR browser and navigate to portal.azure.com and use your account to log in. Type the account email and click Next. Then enter the password and click Sign in. If this the first time you are accessing this account, you will be asked to update your password, and on the next screen, click Yes if you would like to stay signed in for a while.
So now, you have successfully logged into the Azure portal using your account via the TOR browser. Next, you need to navigate to your Azure Key Vault only, it’s not necessary to access Secrets, Keys, or Certificates to receive an alert.
At this point, you just need to wait for the advanced threat detection engine to kick in (which can take a little while, in my example, it took around 40 minutes, I hope that Microsoft will improve the detection time even more).
Azure Defender for Key Vault alerts
Once the detection takes place, a new alert with ‘Medium Severity‘ classified as ‘Credential Access‘ based on MITRE ATT&CK® tactics will be generated in Security Center | Security alerts dashboard, similar to the one below:
The alerts will also appear on Key Vault’s Security page, the Azure Defender dashboard, and Security Center’s alerts page.
If you’ve already integrated Azure Security Center with Azure Monitor, you will also receive a notification based on the specified action group. In my example, I am using email notifications. You can find more details on how to integrate Azure Security Center with Azure Monitor here.
If you’ve connected Azure Security Center to Azure Sentinel which I highly recommend as described in this article, then you can see the same alerts with all relevant data needed for investigation and response as shown in the figure below:
And if you are leveraging the Workflow automation feature in Azure Security Center with LogicApp to post a message on Microsoft Teams for example, then you will receive an alert in your Team channel, similar to the one below:
Respond to Azure Defender for Key Vault alerts
This section describes how to respond to Azure Defender for Key Vault alerts.
When you receive an alert from Azure Defender for Key Vault, it’s highly recommended to investigate and respond to the alert as described below. Azure Defender for Key Vault protects applications and credentials, so even if you’re familiar with the application or user that triggered the alert, it’s important to verify the situation surrounding every alert.
Please note that every alert from Azure Defender for Key Vault includes the following elements:
- Client Object ID.
- User Principal Name or IP Address of the suspicious resource.
Next, you need to verify whether the traffic originated from within your Azure tenant to contact the right owner by following these steps:
- If the key vault firewall is enabled, you’ve likely provided access to the user or application that triggered this alert.
- If you can’t verify the source of the traffic, continue to Immediate mitigation (see next section).
- If you can identify the source of the traffic in your tenant, contact the user or owner of the application.
Take immediate mitigation
If you don’t recognize the user or application as noted in the previous step, or if you think the access shouldn’t have been authorized, you can take the following mitigation steps:
- If the traffic came from an unrecognized IP Address:
- Enable the Azure Key Vault firewall as described in the Configure Azure Key Vault firewalls and virtual networks here.
- Configure the firewall with trusted resources and virtual networks.
- If the source of the alert was an unauthorized application or suspicious user:
- Open the key vault’s access policy settings.
- Remove the corresponding security principal, or restrict the operations the security principal can perform.
- If the source of the alert has an Azure Active Directory role in your tenant:
- Contact your Azure administrator.
- Determine whether there’s a need to reduce or revoke Azure Active Directory permissions.
Identify the impact on your key vault
When the impact has been mitigated, investigate the secrets in your key vault that were affected by following these steps:
- Open the “Security” page on your Azure Key Vault and view the triggered alert as shown in the figure below.
- Select the specific alert that was triggered. Review the list of the secrets that were accessed and the timestamp.
- Optionally, if you have key vault diagnostic logs enabled, review the previous operations for the corresponding caller IP, user principal, or object ID.
Take action to mitigate the threat
When you’ve compiled your list of the secrets, keys, and certificates that the suspicious user or application accessed, you should immediately rotate those objects as described below:
- Affected secrets should be disabled or deleted from your key vault.
- If the credentials were used for a specific application:
- Contact the administrator of the application and ask them to audit their environment for any uses of the compromised credentials since they were compromised.
- If the compromised credentials were used, the application owner should identify the information that was accessed and mitigate the impact.
That’s it there you have it!
This article showed you how to use Azure Defender (advanced threat protection) for Azure Key Vault in Azure Security Center.
With Azure defender for key Vault, you have the right visibility and threat detection level for different scenarios. Azure Defender for Key Vault uses machine learning to detect unusual and potentially harmful attempts to access or exploit Key Vault accounts. At the time of this writing, Azure Defender for Azure Key Vault provides you ten detection capabilities all are machine learning-based:
- Access from a TOR exit node to a key vault (similar to what I have demonstrated in this article).
- A high volume of operations in a key vault.
- The way to determines how the high volume operations work, Microsoft will look at the training data using machine learning for the last 60 days of activity to understand what is a normal activity in the environment, and then based on that, they’ll be able to decide when they detect something anomalous (i.e. too much volume given on how the key vault has been interacting in the past). The good thing is, you don’t need to have exactly 60 days of data for Azure Defender for Key Vault to start learning. The likelihood that you might not receive a high volume of alerts at the beginning, since the model is not well trained to determine what is high volume. But as machine learning trains more data, the confidence levels of the model increases. This of course will differ from one customer to another since it’s tailored to each tenant.
- Suspicious policy change and secret query in a key vault.
- Suspicious secret listing and query in a key vault.
- An unusual application accessed a key vault.
- An unusual operation pattern in a key vault.
- An unusual user accessed a key vault.
- An unusual user application pair accessed a key vault.
- User accessed a high volume of key vaults.
- Access from a suspicious IP address to a key vault.
Additional resources I highly encourage you to check:
- Check the details of all alerts that can be generated by Azure Defender for Key Vault on the official security alerts guide.
- Workflow automation in Azure Security Center to automate your security operations.
- Learn more about how to integrate Azure Security Center with Azure Monitor Alerts.
- Learn more about how to integrate Azure Security Center with Azure Sentinel cloud-native (SIEM).
- Learn more about Azure Security Center, check the official documentation from Microsoft.
Thank you for reading my blog.
If you have any questions or feedback, please leave a comment.