Find list of Vnets/Subnets that access a key vault in azure
I am trying to analyse the network traffic to an azure key vault, and would like to obtain a list of Vnets/Subnets that have accessed this key vault.
Is there a way to do this?
If not, is there a way to grab the IPs that have accessed this resource? Then I can work backwards from there.
The following doesn't like "CallerIpAddress"
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.KEYVAULT"
| where OperationName == "GetSecret" or OperationName == "SetSecret" or OperationName == "DeleteSecret"
| summarize by CallerIpAddress
'summarize' operator: Failed to resolve scalar expression named 'CallerIpAddress'
Also, this doesn't have to be done KQL, if there is a way to do it through the CLI, either PowerShell or Az, I'm more than happy to do that too.
Thanks
'summarize' operator: Failed to resolve scalar expression named 'CallerIpAddress'
OperationName == "GetSecret" or OperationName == "SetSecret" or OperationName == "DeleteSecret"
As your passing invalid OperationNames to check the operations in KQL query , to fetch the callerIP details, the correct operation names are : SecretGet,SecretSet and SecretDelete, refer the MS DOC for details.
Note: You cannot fetch the list of VNet/Subnet names that accessed a KeyVault, but you can only fetch the IP addresses and endpoints.
AzureDiagnostics
| where ResourceProvider =="MICROSOFT.KEYVAULT"
| where OperationName == "VaultGet" or OperationName == "SecretGet" or OperationName == "SecretSet" or OperationName == "SecretDelete"
| project TimeGenerated,Resource, ResourceProvider,OperationName, requestUri_s, CallerIPAddress
Output:
Reference: Azure Key Vault logging & Monitoring Azure Key Vault
- ADF Out of memory exception
- Azure DevOps pipeline is throwing a "##[error]Project file(s) matching the specified pattern were not found". when publishing my app?
- Microsoft Entra ID: Receiving Old Token Version Despite Setting accessTokenAcceptedVersion to 2
- Rule Syntax for Azure user.memberof
- (unknown) Precondition failed when trying to create MS Graph Subscription
- Azure Function App Service Bus Trigger: Process 1 message at a time
- Azure HTTP Trigger - How to extract query parameter value from input binding- cosmosDB
- Python app deployment to Azure web app from pipeline not including requirement packages
- Force Azure Function using Service Bus Queues to only process one mesage at a time
- Azure Web Role with Transient Fault Handling Block exception: The path is too long after being fully qualified
- Azure Bicep - How to create diagnostic settings for NetworkInterface of private endpoint
- Is there a way to get static ip address for Azure Data Factory
- azure key vault - lag on secret changes
- How to create connection to create - queue item - HTTP Trigger - local - Azurite - Azure Queue Storage
- Getting error "404 The specified blob does not exist" when downlading blob using Uri
- How scopes are added to token in Azure Entra ID?
- Why does my Azure Cosmos DB SQL API Container Refuse Multiple Items With Same Partition Key Value?
- Postgres on Azure kubernetes volume permission error
- Azure: Subscribing to an external MQTT Broker
- azure.storage.blob._shared.authentication.AzureSigningError: Incorrect padding - Argo workflow
- Bash variable in JMESPath query expression
- Azure Devops pipeline failing due to AZ.Accounts Module update by MSFT
- Is it possible to use email name other than "DoNotReply" in Azure Email Communication Services?
- AADSTS65001: The user or administrator has not consented to use the application with ID '<application ID>
- Access Package Endpoint doesn't seem to be working
- install docker bash script doesn't work when used as Custom Data for Azure VM
- Docker image is not updating on Azure container registry via gitlab
- Terraform - How to find Azure Kubernetes AKS vnet ID for network peering
- Using Azure DataLakeServiceClient to download a file got forbidden response after few minutes success
- Verify that Bicep can return values from Azure Key vault