More Info:

Ensure that a Microsoft Azure activity log alert is fired whenever Update Key Vault event is triggered inside your Microsoft Azure cloud account.

Risk Level

High

Address

Security

Compliance Standards

CBP

Triage and Remediation

Remediation

Sure, here are the step by step instructions to remediate the misconfiguration “Setup Alerts for Update Key Vault Events” in Azure using Azure console:

  1. Log in to the Azure portal (https://portal.azure.com/).

  2. Navigate to the Key Vault service by selecting “All services” from the left-hand menu, searching for “Key Vault”, and selecting it.

  3. Select the Key Vault that you want to set up alerts for.

  4. Click on “Diagnostic settings” from the left-hand menu.

  5. Click on “Add diagnostic setting”.

  6. Provide a name for your diagnostic setting.

  7. In the “Event Hub” section, select “Send to Log Analytics” and choose the Log Analytics workspace where you want to send the logs.

  8. In the “Logs” section, select “Key Vault”, and then select the “Update” operation.

  9. In the “Metrics” section, select “Key Vault”, and then select the “Total Requests” metric.

  10. Click on “Save” to save the diagnostic setting.

  11. Next, navigate to the Log Analytics workspace where you are sending the logs.

  12. Click on “Alerts” from the left-hand menu.

  13. Click on “New alert rule”.

  14. Provide a name and description for your alert rule.

  15. In the “Condition” section, select “Custom log search”.

  16. In the “Search query” box, enter the following query:

AzureDiagnostics
| where Category == "KeyVault"
| where OperationName == "Microsoft.KeyVault/vaults/write"
  1. In the “Alert logic” section, set the threshold for the number of events that trigger the alert.

  2. In the “Action groups” section, select the action group that you want to use to notify you of the alert.

  3. Click on “Create alert rule” to create the alert.

That’s it! You have now set up alerts for update Key Vault events in Azure. If any updates are made to the Key Vault, you will receive a notification via your selected action group.

Additional Reading: