azureazure-keyvaultazure-log-analytics

Find list of Vnets/Subnets that access a key vault in azure


I am trying to analyse the network traffic to an azure key vault, and would like to obtain a list of Vnets/Subnets that have accessed this key vault.

Is there a way to do this?

If not, is there a way to grab the IPs that have accessed this resource? Then I can work backwards from there.

The following doesn't like "CallerIpAddress"

AzureDiagnostics
| where ResourceProvider == "MICROSOFT.KEYVAULT"
| where OperationName == "GetSecret" or OperationName == "SetSecret" or OperationName == "DeleteSecret"
| summarize by CallerIpAddress

'summarize' operator: Failed to resolve scalar expression named 'CallerIpAddress'

Also, this doesn't have to be done KQL, if there is a way to do it through the CLI, either PowerShell or Az, I'm more than happy to do that too.

Thanks


Solution

  • 'summarize' operator: Failed to resolve scalar expression named 'CallerIpAddress'
    

    enter image description here

    OperationName == "GetSecret" or OperationName == "SetSecret" or OperationName == "DeleteSecret"
    

    As your passing invalid OperationNames to check the operations in KQL query , to fetch the callerIP details, the correct operation names are : SecretGet,SecretSet and SecretDelete, refer the MS DOC for details.

    Note: You cannot fetch the list of VNet/Subnet names that accessed a KeyVault, but you can only fetch the IP addresses and endpoints.

        AzureDiagnostics
        | where ResourceProvider =="MICROSOFT.KEYVAULT" 
        | where OperationName == "VaultGet" or OperationName == "SecretGet" or OperationName == "SecretSet" or OperationName == "SecretDelete"
        | project TimeGenerated,Resource, ResourceProvider,OperationName, requestUri_s, CallerIPAddress
    

    Output:

    enter image description here

    Reference: Azure Key Vault logging & Monitoring Azure Key Vault