Unexpected Azure API calls indicating Key Vault deletion
Description
AlphaSOC detected deletion of an Azure Key Vault via the
Microsoft.KeyVault/vaults/delete action. Key Vaults store sensitive secrets,
encryption keys, and certificates used by applications and services throughout
the Azure environment.
Deleting a Key Vault can have severe operational and security impacts. This may indicate an attacker attempting to destroy evidence, disrupt operations, or cause data loss by removing encryption keys needed to access protected resources.
Impact
Key Vault deletion can result in permanent loss of encryption keys, secrets, and certificates if soft delete is not enabled. Applications depending on the vault will fail, potentially causing widespread service outages. If encryption keys are lost, data encrypted with those keys may become permanently inaccessible.
Severity
| Severity | Condition |
|---|---|
Low | Unexpected action or ASN |
Medium | Two unexpected properties at the same time |
Investigation and Remediation
Review Azure Activity logs to identify who deleted the Key Vault and determine if it was authorized. Check if soft delete was enabled, allowing potential recovery of the vault. Assess the impact on applications and services that depended on the vault.
If unauthorized, attempt recovery through soft delete if available. Investigate the principal's other activities for signs of broader destructive attacks. Rotate any secrets that may have been exposed and implement RBAC policies to restrict Key Vault deletion. Enable soft delete and purge protection on all Key Vaults.
Known False Positives
- Decommissioning of applications and their associated secrets
- Migration to different secret management solutions
- Cleanup of test environments