Unexpected Azure API calls indicating Key Vault modification
Description
AlphaSOC detected modification of an Azure Key Vault configuration via
Microsoft.KeyVault/vaults/write. Key Vaults store cryptographic keys, secrets,
and certificates used by applications throughout the Azure environment.
Configuration changes may affect network access rules, soft delete settings, purge protection, or SKU tier. Adversaries may modify vault settings to weaken security controls, enable public network access, or disable recovery protections before attempting destructive actions.
Impact
Key Vault configuration changes can weaken security controls protecting sensitive credentials. Disabling soft delete or purge protection removes recovery options. Modifying network rules may expose the vault to unauthorized access. Changes to access control settings could enable credential theft or unauthorized secret retrieval.
Severity
| Severity | Condition |
|---|---|
Low | Key Vault modification detected |
Medium | Anomalous Key Vault modification |
Investigation and Remediation
Review Azure Activity logs for Microsoft.KeyVault/vaults/write events. Examine
the request body to identify what configuration changes were made. Compare
current settings against security baselines to identify any weakened
protections.
If unauthorized, revert the Key Vault to its secure configuration. Investigate the compromised identity for additional malicious activity. Enable soft delete and purge protection if not already enabled. Implement Azure Policy to enforce secure Key Vault configurations.