I am trying to analyse the network traffic to an azure key vault, and would like to obtain a list of Vnets/Subnets that have accessed this key vault.
Is there a way to do this?
If not, is there a way to grab the IPs that have accessed this resource? Then I can work backwards from there.
The following doesn't like "CallerIpAddress"
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.KEYVAULT"
| where OperationName == "GetSecret" or OperationName == "SetSecret" or OperationName == "DeleteSecret"
| summarize by CallerIpAddress
'summarize' operator: Failed to resolve scalar expression named 'CallerIpAddress'
Also, this doesn't have to be done KQL, if there is a way to do it through the CLI, either PowerShell or Az, I'm more than happy to do that too.
Thanks
'summarize' operator: Failed to resolve scalar expression named 'CallerIpAddress'
OperationName == "GetSecret" or OperationName == "SetSecret" or OperationName == "DeleteSecret"
As your passing invalid OperationNames to check the operations in KQL query
, to fetch the callerIP details, the correct operation names are : SecretGet,SecretSet and SecretDelete, refer the MS DOC for details.
Note: You cannot fetch the list of VNet/Subnet names that accessed a KeyVault, but you can only fetch the IP addresses and endpoints.
AzureDiagnostics
| where ResourceProvider =="MICROSOFT.KEYVAULT"
| where OperationName == "VaultGet" or OperationName == "SecretGet" or OperationName == "SecretSet" or OperationName == "SecretDelete"
| project TimeGenerated,Resource, ResourceProvider,OperationName, requestUri_s, CallerIPAddress
Output:
Reference: Azure Key Vault logging & Monitoring Azure Key Vault