Azure Key Vault Azure-Microsoft.KeyVault
22 operations, identified by operationName in the audit log.
| operationName | Description |
|---|---|
| _catch_all | Catch-all for Azure-Microsoft.KeyVault rules matching the resource provider but no specific operation. |
| Microsoft.KeyVault/vaults/accessPolicies/write | Adds or updates an access policy on a Key Vault, granting a principal permissions to keys, secrets, or certificates. |
| Microsoft.KeyVault/vaults/delete | Deletes a Key Vault (moves to soft-delete state by default); purge protection determines recoverability. |
| Microsoft.KeyVault/vaults/deploy/action | Permits Azure Resource Manager to retrieve secrets from a Key Vault during template deployments. |
| Microsoft.KeyVault/vaults/keys/backup/action | Requests a backup blob of a Key Vault key, enabling offline export of the key material to an authorized Key Vault. |
| Microsoft.KeyVault/vaults/keys/create | Creates a new cryptographic key in the Key Vault. |
| Microsoft.KeyVault/vaults/keys/create/action | ARM action variant of key creation in Key Vault; functionally equivalent to the create resource operation. |
| Microsoft.KeyVault/vaults/keys/delete | Soft-deletes a cryptographic key from the Key Vault. |
| Microsoft.KeyVault/vaults/keys/import/action | Imports an external key into the Key Vault, potentially bringing attacker-controlled key material. |
| Microsoft.KeyVault/vaults/keys/purge/action | Permanently deletes a soft-deleted key, making it unrecoverable; requires purge-protection to be disabled. |
| Microsoft.KeyVault/vaults/keys/recover/action | Recovers a soft-deleted key, restoring it to its active state. |
| Microsoft.KeyVault/vaults/keys/restore/action | Restores a key from a backup blob into the Key Vault. |
| Microsoft.KeyVault/vaults/keys/update/action | Updates the attributes or tags of a Key Vault key (does not change key material). |
| Microsoft.KeyVault/vaults/secrets/backup/action | Requests a backup blob of a Key Vault secret, enabling offline export to an authorized Key Vault. |
| Microsoft.KeyVault/vaults/secrets/delete | Soft-deletes a secret from the Key Vault. |
| Microsoft.KeyVault/vaults/secrets/purge/action | Permanently deletes a soft-deleted secret, making it unrecoverable. |
| Microsoft.KeyVault/vaults/secrets/recover/action | Recovers a soft-deleted secret, restoring it to its active state. |
| Microsoft.KeyVault/vaults/secrets/restore/action | Restores a secret from a backup blob into the Key Vault. |
| Microsoft.KeyVault/vaults/secrets/setSecret/action | Sets (creates or updates) the value of a secret in Key Vault; the ARM control-plane record of a secret write. |
| Microsoft.KeyVault/vaults/secrets/update/action | Updates the attributes or tags of a Key Vault secret without changing the secret value. |
| Microsoft.KeyVault/vaults/secrets/write | Creates or updates a secret in the Key Vault via the ARM resource write path. |
| Microsoft.KeyVault/vaults/write | Creates or updates a Key Vault, including access policy configuration, networking rules, and purge-protection settings. |
_catch_all: Azure Key Vault (catch-all)
#Description
Catch-all for Azure-Microsoft.KeyVault rules matching the resource provider but no specific operation.
Fields #
| Name | Description |
|---|---|
OperationName | Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on). |
OperationNameValue | The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive. |
ResourceProvider | The Azure resource-provider namespace (e.g. Microsoft.Compute). |
ResourceId | Full ARM resource id the operation acted on. |
Caller | Identity that initiated the operation (UPN, object id, or service principal). |
CallerIpAddress | IP address of the caller. |
ActivityStatusValue | Operation status (Started, Succeeded, Failed, Accepted). |
Level | Severity level of the activity record (Informational, Warning, Error, Critical). |
Authorization | RBAC authorization context: the action evaluated, scope, and role assignment. |
Properties | Operation-specific properties bag; shape varies by operation. |
SubscriptionId | GUID of the subscription the resource belongs to. |
TimeGenerated | UTC timestamp when the event was recorded. |
References #
- Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
- Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity
Microsoft.KeyVault/vaults/accessPolicies/write
#Description
Adds or updates an access policy on a Key Vault, granting a principal permissions to keys, secrets, or certificates.
Fields #
| Name | Description |
|---|---|
OperationName | Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on). |
OperationNameValue | The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive. |
ResourceProvider | The Azure resource-provider namespace (e.g. Microsoft.Compute). |
ResourceId | Full ARM resource id the operation acted on. |
Caller | Identity that initiated the operation (UPN, object id, or service principal). |
CallerIpAddress | IP address of the caller. |
ActivityStatusValue | Operation status (Started, Succeeded, Failed, Accepted). |
Level | Severity level of the activity record (Informational, Warning, Error, Critical). |
Authorization | RBAC authorization context: the action evaluated, scope, and role assignment. |
Properties | Operation-specific properties bag; shape varies by operation. |
SubscriptionId | GUID of the subscription the resource belongs to. |
TimeGenerated | UTC timestamp when the event was recorded. |
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
operationName | eq | MICROSOFT.KEYVAULT/VAULTS/DELETE | 1 rule | panther, sigma |
Detection Rules #
View all rules referencing this event →Sigma #
References #
- Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
- Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity
Microsoft.KeyVault/vaults/delete
#Description
Deletes a Key Vault (moves to soft-delete state by default); purge protection determines recoverability.
Fields #
| Name | Description |
|---|---|
OperationName | Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on). |
OperationNameValue | The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive. |
ResourceProvider | The Azure resource-provider namespace (e.g. Microsoft.Compute). |
ResourceId | Full ARM resource id the operation acted on. |
Caller | Identity that initiated the operation (UPN, object id, or service principal). |
CallerIpAddress | IP address of the caller. |
ActivityStatusValue | Operation status (Started, Succeeded, Failed, Accepted). |
Level | Severity level of the activity record (Informational, Warning, Error, Critical). |
Authorization | RBAC authorization context: the action evaluated, scope, and role assignment. |
Properties | Operation-specific properties bag; shape varies by operation. |
SubscriptionId | GUID of the subscription the resource belongs to. |
TimeGenerated | UTC timestamp when the event was recorded. |
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
operationName | eq | MICROSOFT.KEYVAULT/VAULTS/DELETE | 1 rule | panther, sigma |
Detection Rules #
View all rules referencing this event →Sigma #
References #
- Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
- Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity
Microsoft.KeyVault/vaults/deploy/action
#Description
Permits Azure Resource Manager to retrieve secrets from a Key Vault during template deployments.
Fields #
| Name | Description |
|---|---|
OperationName | Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on). |
OperationNameValue | The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive. |
ResourceProvider | The Azure resource-provider namespace (e.g. Microsoft.Compute). |
ResourceId | Full ARM resource id the operation acted on. |
Caller | Identity that initiated the operation (UPN, object id, or service principal). |
CallerIpAddress | IP address of the caller. |
ActivityStatusValue | Operation status (Started, Succeeded, Failed, Accepted). |
Level | Severity level of the activity record (Informational, Warning, Error, Critical). |
Authorization | RBAC authorization context: the action evaluated, scope, and role assignment. |
Properties | Operation-specific properties bag; shape varies by operation. |
SubscriptionId | GUID of the subscription the resource belongs to. |
TimeGenerated | UTC timestamp when the event was recorded. |
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
operationName | eq | MICROSOFT.KEYVAULT/VAULTS/DELETE | 1 rule | panther, sigma |
Detection Rules #
View all rules referencing this event →Sigma #
References #
- Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
- Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity
Microsoft.KeyVault/vaults/keys/backup/action
#Description
Requests a backup blob of a Key Vault key, enabling offline export of the key material to an authorized Key Vault.
Fields #
| Name | Description |
|---|---|
OperationName | Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on). |
OperationNameValue | The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive. |
ResourceProvider | The Azure resource-provider namespace (e.g. Microsoft.Compute). |
ResourceId | Full ARM resource id the operation acted on. |
Caller | Identity that initiated the operation (UPN, object id, or service principal). |
CallerIpAddress | IP address of the caller. |
ActivityStatusValue | Operation status (Started, Succeeded, Failed, Accepted). |
Level | Severity level of the activity record (Informational, Warning, Error, Critical). |
Authorization | RBAC authorization context: the action evaluated, scope, and role assignment. |
Properties | Operation-specific properties bag; shape varies by operation. |
SubscriptionId | GUID of the subscription the resource belongs to. |
TimeGenerated | UTC timestamp when the event was recorded. |
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
operationName | eq | MICROSOFT.KEYVAULT/VAULTS/KEYS/PURGE/ACTION | 1 rule | panther, sigma |
Detection Rules #
View all rules referencing this event →Sigma #
References #
- Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
- Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity
Microsoft.KeyVault/vaults/keys/create
#Description
Creates a new cryptographic key in the Key Vault.
Fields #
| Name | Description |
|---|---|
OperationName | Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on). |
OperationNameValue | The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive. |
ResourceProvider | The Azure resource-provider namespace (e.g. Microsoft.Compute). |
ResourceId | Full ARM resource id the operation acted on. |
Caller | Identity that initiated the operation (UPN, object id, or service principal). |
CallerIpAddress | IP address of the caller. |
ActivityStatusValue | Operation status (Started, Succeeded, Failed, Accepted). |
Level | Severity level of the activity record (Informational, Warning, Error, Critical). |
Authorization | RBAC authorization context: the action evaluated, scope, and role assignment. |
Properties | Operation-specific properties bag; shape varies by operation. |
SubscriptionId | GUID of the subscription the resource belongs to. |
TimeGenerated | UTC timestamp when the event was recorded. |
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
operationName | eq | MICROSOFT.KEYVAULT/VAULTS/KEYS/PURGE/ACTION | 1 rule | panther, sigma |
Detection Rules #
View all rules referencing this event →Sigma #
References #
- Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
- Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity
Microsoft.KeyVault/vaults/keys/create/action
#Description
ARM action variant of key creation in Key Vault; functionally equivalent to the create resource operation.
Fields #
| Name | Description |
|---|---|
OperationName | Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on). |
OperationNameValue | The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive. |
ResourceProvider | The Azure resource-provider namespace (e.g. Microsoft.Compute). |
ResourceId | Full ARM resource id the operation acted on. |
Caller | Identity that initiated the operation (UPN, object id, or service principal). |
CallerIpAddress | IP address of the caller. |
ActivityStatusValue | Operation status (Started, Succeeded, Failed, Accepted). |
Level | Severity level of the activity record (Informational, Warning, Error, Critical). |
Authorization | RBAC authorization context: the action evaluated, scope, and role assignment. |
Properties | Operation-specific properties bag; shape varies by operation. |
SubscriptionId | GUID of the subscription the resource belongs to. |
TimeGenerated | UTC timestamp when the event was recorded. |
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
operationName | eq | MICROSOFT.KEYVAULT/VAULTS/KEYS/PURGE/ACTION | 1 rule | panther, sigma |
Detection Rules #
View all rules referencing this event →Sigma #
References #
- Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
- Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity
Microsoft.KeyVault/vaults/keys/delete
#Description
Soft-deletes a cryptographic key from the Key Vault.
Fields #
| Name | Description |
|---|---|
OperationName | Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on). |
OperationNameValue | The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive. |
ResourceProvider | The Azure resource-provider namespace (e.g. Microsoft.Compute). |
ResourceId | Full ARM resource id the operation acted on. |
Caller | Identity that initiated the operation (UPN, object id, or service principal). |
CallerIpAddress | IP address of the caller. |
ActivityStatusValue | Operation status (Started, Succeeded, Failed, Accepted). |
Level | Severity level of the activity record (Informational, Warning, Error, Critical). |
Authorization | RBAC authorization context: the action evaluated, scope, and role assignment. |
Properties | Operation-specific properties bag; shape varies by operation. |
SubscriptionId | GUID of the subscription the resource belongs to. |
TimeGenerated | UTC timestamp when the event was recorded. |
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
operationName | eq | MICROSOFT.KEYVAULT/VAULTS/KEYS/PURGE/ACTION | 1 rule | panther, sigma |
Detection Rules #
View all rules referencing this event →Sigma #
References #
- Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
- Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity
Microsoft.KeyVault/vaults/keys/import/action
#Description
Imports an external key into the Key Vault, potentially bringing attacker-controlled key material.
Fields #
| Name | Description |
|---|---|
OperationName | Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on). |
OperationNameValue | The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive. |
ResourceProvider | The Azure resource-provider namespace (e.g. Microsoft.Compute). |
ResourceId | Full ARM resource id the operation acted on. |
Caller | Identity that initiated the operation (UPN, object id, or service principal). |
CallerIpAddress | IP address of the caller. |
ActivityStatusValue | Operation status (Started, Succeeded, Failed, Accepted). |
Level | Severity level of the activity record (Informational, Warning, Error, Critical). |
Authorization | RBAC authorization context: the action evaluated, scope, and role assignment. |
Properties | Operation-specific properties bag; shape varies by operation. |
SubscriptionId | GUID of the subscription the resource belongs to. |
TimeGenerated | UTC timestamp when the event was recorded. |
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
operationName | eq | MICROSOFT.KEYVAULT/VAULTS/KEYS/PURGE/ACTION | 1 rule | panther, sigma |
Detection Rules #
View all rules referencing this event →Sigma #
References #
- Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
- Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity
Microsoft.KeyVault/vaults/keys/purge/action
#Description
Permanently deletes a soft-deleted key, making it unrecoverable; requires purge-protection to be disabled.
Fields #
| Name | Description |
|---|---|
OperationName | Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on). |
OperationNameValue | The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive. |
ResourceProvider | The Azure resource-provider namespace (e.g. Microsoft.Compute). |
ResourceId | Full ARM resource id the operation acted on. |
Caller | Identity that initiated the operation (UPN, object id, or service principal). |
CallerIpAddress | IP address of the caller. |
ActivityStatusValue | Operation status (Started, Succeeded, Failed, Accepted). |
Level | Severity level of the activity record (Informational, Warning, Error, Critical). |
Authorization | RBAC authorization context: the action evaluated, scope, and role assignment. |
Properties | Operation-specific properties bag; shape varies by operation. |
SubscriptionId | GUID of the subscription the resource belongs to. |
TimeGenerated | UTC timestamp when the event was recorded. |
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
operationName | eq | MICROSOFT.KEYVAULT/VAULTS/KEYS/PURGE/ACTION | 1 rule | panther, sigma |
Detection Rules #
View all rules referencing this event →Sigma #
References #
- Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
- Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity
Microsoft.KeyVault/vaults/keys/recover/action
#Description
Recovers a soft-deleted key, restoring it to its active state.
Fields #
| Name | Description |
|---|---|
OperationName | Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on). |
OperationNameValue | The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive. |
ResourceProvider | The Azure resource-provider namespace (e.g. Microsoft.Compute). |
ResourceId | Full ARM resource id the operation acted on. |
Caller | Identity that initiated the operation (UPN, object id, or service principal). |
CallerIpAddress | IP address of the caller. |
ActivityStatusValue | Operation status (Started, Succeeded, Failed, Accepted). |
Level | Severity level of the activity record (Informational, Warning, Error, Critical). |
Authorization | RBAC authorization context: the action evaluated, scope, and role assignment. |
Properties | Operation-specific properties bag; shape varies by operation. |
SubscriptionId | GUID of the subscription the resource belongs to. |
TimeGenerated | UTC timestamp when the event was recorded. |
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
operationName | eq | MICROSOFT.KEYVAULT/VAULTS/KEYS/PURGE/ACTION | 1 rule | panther, sigma |
Detection Rules #
View all rules referencing this event →Sigma #
References #
- Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
- Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity
Microsoft.KeyVault/vaults/keys/restore/action
#Description
Restores a key from a backup blob into the Key Vault.
Fields #
| Name | Description |
|---|---|
OperationName | Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on). |
OperationNameValue | The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive. |
ResourceProvider | The Azure resource-provider namespace (e.g. Microsoft.Compute). |
ResourceId | Full ARM resource id the operation acted on. |
Caller | Identity that initiated the operation (UPN, object id, or service principal). |
CallerIpAddress | IP address of the caller. |
ActivityStatusValue | Operation status (Started, Succeeded, Failed, Accepted). |
Level | Severity level of the activity record (Informational, Warning, Error, Critical). |
Authorization | RBAC authorization context: the action evaluated, scope, and role assignment. |
Properties | Operation-specific properties bag; shape varies by operation. |
SubscriptionId | GUID of the subscription the resource belongs to. |
TimeGenerated | UTC timestamp when the event was recorded. |
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
operationName | eq | MICROSOFT.KEYVAULT/VAULTS/KEYS/PURGE/ACTION | 1 rule | panther, sigma |
Detection Rules #
View all rules referencing this event →Sigma #
References #
- Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
- Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity
Microsoft.KeyVault/vaults/keys/update/action
#Description
Updates the attributes or tags of a Key Vault key (does not change key material).
Fields #
| Name | Description |
|---|---|
OperationName | Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on). |
OperationNameValue | The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive. |
ResourceProvider | The Azure resource-provider namespace (e.g. Microsoft.Compute). |
ResourceId | Full ARM resource id the operation acted on. |
Caller | Identity that initiated the operation (UPN, object id, or service principal). |
CallerIpAddress | IP address of the caller. |
ActivityStatusValue | Operation status (Started, Succeeded, Failed, Accepted). |
Level | Severity level of the activity record (Informational, Warning, Error, Critical). |
Authorization | RBAC authorization context: the action evaluated, scope, and role assignment. |
Properties | Operation-specific properties bag; shape varies by operation. |
SubscriptionId | GUID of the subscription the resource belongs to. |
TimeGenerated | UTC timestamp when the event was recorded. |
Detection Rules #
View all rules referencing this event →Sigma #
References #
- Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
- Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity
Microsoft.KeyVault/vaults/secrets/backup/action
#Description
Requests a backup blob of a Key Vault secret, enabling offline export to an authorized Key Vault.
Fields #
| Name | Description |
|---|---|
OperationName | Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on). |
OperationNameValue | The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive. |
ResourceProvider | The Azure resource-provider namespace (e.g. Microsoft.Compute). |
ResourceId | Full ARM resource id the operation acted on. |
Caller | Identity that initiated the operation (UPN, object id, or service principal). |
CallerIpAddress | IP address of the caller. |
ActivityStatusValue | Operation status (Started, Succeeded, Failed, Accepted). |
Level | Severity level of the activity record (Informational, Warning, Error, Critical). |
Authorization | RBAC authorization context: the action evaluated, scope, and role assignment. |
Properties | Operation-specific properties bag; shape varies by operation. |
SubscriptionId | GUID of the subscription the resource belongs to. |
TimeGenerated | UTC timestamp when the event was recorded. |
Detection Rules #
View all rules referencing this event →Sigma #
References #
- Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
- Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity
Microsoft.KeyVault/vaults/secrets/delete
#Description
Soft-deletes a secret from the Key Vault.
Fields #
| Name | Description |
|---|---|
OperationName | Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on). |
OperationNameValue | The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive. |
ResourceProvider | The Azure resource-provider namespace (e.g. Microsoft.Compute). |
ResourceId | Full ARM resource id the operation acted on. |
Caller | Identity that initiated the operation (UPN, object id, or service principal). |
CallerIpAddress | IP address of the caller. |
ActivityStatusValue | Operation status (Started, Succeeded, Failed, Accepted). |
Level | Severity level of the activity record (Informational, Warning, Error, Critical). |
Authorization | RBAC authorization context: the action evaluated, scope, and role assignment. |
Properties | Operation-specific properties bag; shape varies by operation. |
SubscriptionId | GUID of the subscription the resource belongs to. |
TimeGenerated | UTC timestamp when the event was recorded. |
Detection Rules #
View all rules referencing this event →Sigma #
References #
- Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
- Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity
Microsoft.KeyVault/vaults/secrets/purge/action
#Description
Permanently deletes a soft-deleted secret, making it unrecoverable.
Fields #
| Name | Description |
|---|---|
OperationName | Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on). |
OperationNameValue | The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive. |
ResourceProvider | The Azure resource-provider namespace (e.g. Microsoft.Compute). |
ResourceId | Full ARM resource id the operation acted on. |
Caller | Identity that initiated the operation (UPN, object id, or service principal). |
CallerIpAddress | IP address of the caller. |
ActivityStatusValue | Operation status (Started, Succeeded, Failed, Accepted). |
Level | Severity level of the activity record (Informational, Warning, Error, Critical). |
Authorization | RBAC authorization context: the action evaluated, scope, and role assignment. |
Properties | Operation-specific properties bag; shape varies by operation. |
SubscriptionId | GUID of the subscription the resource belongs to. |
TimeGenerated | UTC timestamp when the event was recorded. |
Detection Rules #
View all rules referencing this event →Sigma #
References #
- Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
- Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity
Microsoft.KeyVault/vaults/secrets/recover/action
#Description
Recovers a soft-deleted secret, restoring it to its active state.
Fields #
| Name | Description |
|---|---|
OperationName | Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on). |
OperationNameValue | The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive. |
ResourceProvider | The Azure resource-provider namespace (e.g. Microsoft.Compute). |
ResourceId | Full ARM resource id the operation acted on. |
Caller | Identity that initiated the operation (UPN, object id, or service principal). |
CallerIpAddress | IP address of the caller. |
ActivityStatusValue | Operation status (Started, Succeeded, Failed, Accepted). |
Level | Severity level of the activity record (Informational, Warning, Error, Critical). |
Authorization | RBAC authorization context: the action evaluated, scope, and role assignment. |
Properties | Operation-specific properties bag; shape varies by operation. |
SubscriptionId | GUID of the subscription the resource belongs to. |
TimeGenerated | UTC timestamp when the event was recorded. |
Detection Rules #
View all rules referencing this event →Sigma #
References #
- Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
- Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity
Microsoft.KeyVault/vaults/secrets/restore/action
#Description
Restores a secret from a backup blob into the Key Vault.
Fields #
| Name | Description |
|---|---|
OperationName | Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on). |
OperationNameValue | The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive. |
ResourceProvider | The Azure resource-provider namespace (e.g. Microsoft.Compute). |
ResourceId | Full ARM resource id the operation acted on. |
Caller | Identity that initiated the operation (UPN, object id, or service principal). |
CallerIpAddress | IP address of the caller. |
ActivityStatusValue | Operation status (Started, Succeeded, Failed, Accepted). |
Level | Severity level of the activity record (Informational, Warning, Error, Critical). |
Authorization | RBAC authorization context: the action evaluated, scope, and role assignment. |
Properties | Operation-specific properties bag; shape varies by operation. |
SubscriptionId | GUID of the subscription the resource belongs to. |
TimeGenerated | UTC timestamp when the event was recorded. |
Detection Rules #
View all rules referencing this event →Sigma #
References #
- Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
- Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity
Microsoft.KeyVault/vaults/secrets/setSecret/action
#Description
Sets (creates or updates) the value of a secret in Key Vault; the ARM control-plane record of a secret write.
Fields #
| Name | Description |
|---|---|
OperationName | Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on). |
OperationNameValue | The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive. |
ResourceProvider | The Azure resource-provider namespace (e.g. Microsoft.Compute). |
ResourceId | Full ARM resource id the operation acted on. |
Caller | Identity that initiated the operation (UPN, object id, or service principal). |
CallerIpAddress | IP address of the caller. |
ActivityStatusValue | Operation status (Started, Succeeded, Failed, Accepted). |
Level | Severity level of the activity record (Informational, Warning, Error, Critical). |
Authorization | RBAC authorization context: the action evaluated, scope, and role assignment. |
Properties | Operation-specific properties bag; shape varies by operation. |
SubscriptionId | GUID of the subscription the resource belongs to. |
TimeGenerated | UTC timestamp when the event was recorded. |
Detection Rules #
View all rules referencing this event →Sigma #
References #
- Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
- Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity
Microsoft.KeyVault/vaults/secrets/update/action
#Description
Updates the attributes or tags of a Key Vault secret without changing the secret value.
Fields #
| Name | Description |
|---|---|
OperationName | Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on). |
OperationNameValue | The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive. |
ResourceProvider | The Azure resource-provider namespace (e.g. Microsoft.Compute). |
ResourceId | Full ARM resource id the operation acted on. |
Caller | Identity that initiated the operation (UPN, object id, or service principal). |
CallerIpAddress | IP address of the caller. |
ActivityStatusValue | Operation status (Started, Succeeded, Failed, Accepted). |
Level | Severity level of the activity record (Informational, Warning, Error, Critical). |
Authorization | RBAC authorization context: the action evaluated, scope, and role assignment. |
Properties | Operation-specific properties bag; shape varies by operation. |
SubscriptionId | GUID of the subscription the resource belongs to. |
TimeGenerated | UTC timestamp when the event was recorded. |
Detection Rules #
View all rules referencing this event →Sigma #
References #
- Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
- Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity
Microsoft.KeyVault/vaults/secrets/write
#Description
Creates or updates a secret in the Key Vault via the ARM resource write path.
Fields #
| Name | Description |
|---|---|
OperationName | Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on). |
OperationNameValue | The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive. |
ResourceProvider | The Azure resource-provider namespace (e.g. Microsoft.Compute). |
ResourceId | Full ARM resource id the operation acted on. |
Caller | Identity that initiated the operation (UPN, object id, or service principal). |
CallerIpAddress | IP address of the caller. |
ActivityStatusValue | Operation status (Started, Succeeded, Failed, Accepted). |
Level | Severity level of the activity record (Informational, Warning, Error, Critical). |
Authorization | RBAC authorization context: the action evaluated, scope, and role assignment. |
Properties | Operation-specific properties bag; shape varies by operation. |
SubscriptionId | GUID of the subscription the resource belongs to. |
TimeGenerated | UTC timestamp when the event was recorded. |
Detection Rules #
View all rules referencing this event →Sigma #
References #
- Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
- Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity
Microsoft.KeyVault/vaults/write
#Description
Creates or updates a Key Vault, including access policy configuration, networking rules, and purge-protection settings.
Fields #
| Name | Description |
|---|---|
OperationName | Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on). |
OperationNameValue | The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive. |
ResourceProvider | The Azure resource-provider namespace (e.g. Microsoft.Compute). |
ResourceId | Full ARM resource id the operation acted on. |
Caller | Identity that initiated the operation (UPN, object id, or service principal). |
CallerIpAddress | IP address of the caller. |
ActivityStatusValue | Operation status (Started, Succeeded, Failed, Accepted). |
Level | Severity level of the activity record (Informational, Warning, Error, Critical). |
Authorization | RBAC authorization context: the action evaluated, scope, and role assignment. |
Properties | Operation-specific properties bag; shape varies by operation. |
SubscriptionId | GUID of the subscription the resource belongs to. |
TimeGenerated | UTC timestamp when the event was recorded. |
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
operationName | eq | MICROSOFT.KEYVAULT/VAULTS/DELETE | 1 rule | panther, sigma |
Detection Rules #
View all rules referencing this event →Sigma #
References #
- Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
- Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity