From e7a7c069490d4a4c5d7d99a8da9735cd772dce14 Mon Sep 17 00:00:00 2001 From: "sekoia-io-cross-repo-comm-app[bot]" <99295792+sekoia-io-cross-repo-comm-app[bot]@users.noreply.github.com> Date: Tue, 30 Apr 2024 14:56:58 +0000 Subject: [PATCH] Refresh intakes documentation --- .../5702ae4e-7d8a-455f-a47b-ef64dd87c981.md | 7 - .../ae62a8c4-11f8-4aea-af5b-6968f8ac04ba.md | 3175 +++++++++++++++++ 2 files changed, 3175 insertions(+), 7 deletions(-) create mode 100644 _shared_content/operations_center/integrations/generated/ae62a8c4-11f8-4aea-af5b-6968f8ac04ba.md diff --git a/_shared_content/operations_center/integrations/generated/5702ae4e-7d8a-455f-a47b-ef64dd87c981.md b/_shared_content/operations_center/integrations/generated/5702ae4e-7d8a-455f-a47b-ef64dd87c981.md index 2445795cdf..9ac0238313 100644 --- a/_shared_content/operations_center/integrations/generated/5702ae4e-7d8a-455f-a47b-ef64dd87c981.md +++ b/_shared_content/operations_center/integrations/generated/5702ae4e-7d8a-455f-a47b-ef64dd87c981.md @@ -40,7 +40,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "@timestamp": "2021-11-23T15:35:08.541882Z", "action": { "outcome_reason": "Configuration is changed in the admin session", - "target": "network-traffic", "type": "system" }, "log": { @@ -658,7 +657,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "name": "roll-log", "outcome": "success", "outcome_reason": "Disk log has rolled.", - "target": "network-traffic", "type": "system" }, "fortinet": { @@ -2280,7 +2278,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "name": "login", "outcome": "failed", "outcome_reason": "Login disabled from IP 1.1.1.1 for 60 seconds because of 3 bad attempts", - "target": "network-traffic", "type": "system" }, "log": { @@ -2315,7 +2312,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "name": "ssl-new-con", "outcome": "success", "outcome_reason": "SSL new connection", - "target": "network-traffic", "type": "vpn" }, "destination": { @@ -3523,7 +3519,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "name": "CRL_1", "outcome": "success", "outcome_reason": "A certificate is updated", - "target": "network-traffic", "type": "vpn" }, "fortinet": { @@ -3581,7 +3576,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "name": "ssl-login-fail", "outcome": "success", "outcome_reason": "SSL user failed to logged in", - "target": "network-traffic", "type": "vpn" }, "fortinet": { @@ -3651,7 +3645,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "name": "ssl-login-fail", "outcome": "success", "outcome_reason": "SSL user failed to logged in", - "target": "network-traffic", "type": "vpn" }, "fortinet": { diff --git a/_shared_content/operations_center/integrations/generated/ae62a8c4-11f8-4aea-af5b-6968f8ac04ba.md b/_shared_content/operations_center/integrations/generated/ae62a8c4-11f8-4aea-af5b-6968f8ac04ba.md new file mode 100644 index 0000000000..c698d8af1a --- /dev/null +++ b/_shared_content/operations_center/integrations/generated/ae62a8c4-11f8-4aea-af5b-6968f8ac04ba.md @@ -0,0 +1,3175 @@ + +## Event Categories + + +The following table lists the data source offered by this integration. + +| Data Source | Description | +| ----------- | ------------------------------------ | +| `Application logs` | Key Vault events are analyzed in detail | + + + + + +In details, the following table denotes the type of events produced by this integration. + +| Name | Values | +| ---- | ------ | +| Kind | `` | +| Category | `database` | +| Type | `access` | + + + + +## Event Samples + +Find below few samples of events and how they are normalized by Sekoia.io. + + +=== "test_event_certificate_create.json" + + ```json + + { + "message": "{\"time\": \"2024-04-03T14:03:10.7886260Z\", \"category\": \"AuditEvent\", \"operationName\": \"CertificateCreate\", \"resultType\": \"Success\", \"correlationId\": \"1216de2d-b866-4950-983f-46775e7fe659\", \"callerIpAddress\": \"147.161.0.0\", \"identity\": {\"claim\": {\"oid\": \"d4ba3e84-0444-4841-aaf7-XXXX\", \"appid\": \"3686488a-04fc-4d8a-b967-61f98ec41efe\", \"scp\": \"user_impersonation\", \"appidacr\": \"0\", \"xms_az_nwperimid\": [], \"upn\": \"john.doe@dummy.onmicrosoft.com\", \"ipaddr\": \"147.161.0.0\", \"unique_name\": \"john.doe@dummy.onmicrosoft.com\", \"amr\": \"pwd\"}}, \"properties\": {\"id\": \"https://testpermissionvault.vault.azure.net/certificates/fdfdffffd\", \"clientInfo\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0\", \"httpStatusCode\": 202, \"requestUri\": \"https://testpermissionvault.vault.azure.net/certificates/fdfdffffd/create?api-version=7.0\", \"isAccessPolicyMatch\": true, \"certificateProperties\": {\"attributes\": {\"enabled\": true}}, \"certificatePolicyProperties\": {\"certificateProperties\": {\"subject\": \"CN=GHEG FFF\", \"validityInMonths\": 12}, \"keyProperties\": {\"type\": \"RSA\", \"size\": 2048, \"reuse\": false, \"export\": true}, \"secretProperties\": {\"type\": \"application/x-pkcs12\"}, \"certificateIssuerProperties\": {\"name\": \"Self\"}, \"attributes\": {\"enabled\": true}}, \"tlsVersion\": \"TLS1_3\"}, \"resourceId\": \"/SUBSCRIPTIONS/F40A1F1D-F2C6-4444-XXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT\", \"operationVersion\": \"7.0\", \"resultSignature\": \"Accepted\", \"durationMs\": \"575\"}", + "event": { + "action": "CertificateCreate", + "category": [ + "database" + ], + "dataset": "keyvault", + "outcome": "success", + "type": [ + "access" + ] + }, + "@timestamp": "2024-04-03T14:03:10.788626Z", + "azure": { + "key_vault": { + "correlation_id": "1216de2d-b866-4950-983f-46775e7fe659", + "identity": { + "claim": { + "amr": "pwd", + "appid": "3686488a-04fc-4d8a-b967-61f98ec41efe", + "ipaddr": "147.161.0.0", + "oid": "d4ba3e84-0444-4841-aaf7-XXXX", + "scp": "user_impersonation", + "unique_name": "john.doe@dummy.onmicrosoft.com" + } + }, + "properties": { + "certificateIssuerProperties": { + "name": "Self" + }, + "clientInfo": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "id": "https://testpermissionvault.vault.azure.net/certificates/fdfdffffd", + "isAccessPolicyMatch": true, + "keyProperties": { + "type": "RSA" + } + }, + "resource_id": "/SUBSCRIPTIONS/F40A1F1D-F2C6-4444-XXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT", + "result": { + "signature": "Accepted", + "type": "Success" + } + } + }, + "cloud": { + "provider": "azure", + "service": { + "name": "Azure Key Vault" + } + }, + "http": { + "response": { + "status_code": 202 + } + }, + "related": { + "ip": [ + "147.161.0.0" + ], + "user": [ + "john.doe@dummy.onmicrosoft.com" + ] + }, + "source": { + "address": "147.161.0.0", + "ip": "147.161.0.0" + }, + "tls": { + "version": "TLS1_3" + }, + "url": { + "domain": "testpermissionvault.vault.azure.net", + "original": "https://testpermissionvault.vault.azure.net/certificates/fdfdffffd/create?api-version=7.0", + "path": "/certificates/fdfdffffd/create", + "port": 443, + "query": "api-version=7.0", + "registered_domain": "azure.net", + "scheme": "https", + "subdomain": "testpermissionvault.vault", + "top_level_domain": "net" + }, + "user": { + "name": "john.doe@dummy.onmicrosoft.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "os": { + "name": "Ubuntu" + }, + "version": "12.0" + } + } + + ``` + + +=== "test_event_certificate_import.json" + + ```json + + { + "message": "{\"time\": \"2024-04-08T15:10:25.2996345Z\", \"category\": \"AuditEvent\", \"operationName\": \"CertificateImport\", \"resultType\": \"Success\", \"resultDescription\": \"Private key is not specified in the specified X.509 PEM certificate content. Please specify private key in the X.509 PEM certificate content.\", \"correlationId\": \"1de288da-53e4-4563-8b1a-626cbf008d8d\", \"callerIpAddress\": \"147.161.0.0\", \"identity\": {\"claim\": {\"oid\": \"d4ba3e84-0444-4841-aaf7-XXXXXXXXXXXX\", \"appid\": \"3686488a-04fc-4d8a-b967-61f98ec41efe\", \"scp\": \"user_impersonation\", \"appidacr\": \"0\", \"xms_az_nwperimid\": [], \"upn\": \"john.doe@dummy.onmicrosoft.com\", \"ipaddr\": \"147.161.152.109\", \"unique_name\": \"john.doe@dummy.onmicrosoft.com\", \"amr\": \"pwd\"}}, \"properties\": {\"id\": \"https://myright3.vault.azure.net/certificates/mycertiii\", \"clientInfo\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0\", \"httpStatusCode\": 400, \"requestUri\": \"https://myright3.vault.azure.net/certificates/mycertiii/import?api-version=7.0\", \"isAccessPolicyMatch\": true, \"certificatePolicyProperties\": {\"secretProperties\": {\"type\": \"application/x-pem-file\"}}, \"tlsVersion\": \"TLS1_3\"}, \"resourceId\": \"/SUBSCRIPTIONS/F40A1F1D-F2C6-4444-92A6-XXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/MYRIGHT3\", \"operationVersion\": \"7.0\", \"resultSignature\": \"Bad Request\", \"durationMs\": \"16\"}", + "event": { + "action": "CertificateImport", + "category": [ + "database" + ], + "dataset": "keyvault", + "outcome": "success", + "type": [ + "access" + ] + }, + "@timestamp": "2024-04-08T15:10:25.299634Z", + "azure": { + "key_vault": { + "correlation_id": "1de288da-53e4-4563-8b1a-626cbf008d8d", + "identity": { + "claim": { + "amr": "pwd", + "appid": "3686488a-04fc-4d8a-b967-61f98ec41efe", + "ipaddr": "147.161.152.109", + "oid": "d4ba3e84-0444-4841-aaf7-XXXXXXXXXXXX", + "scp": "user_impersonation", + "unique_name": "john.doe@dummy.onmicrosoft.com" + } + }, + "properties": { + "clientInfo": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "id": "https://myright3.vault.azure.net/certificates/mycertiii", + "isAccessPolicyMatch": true + }, + "resource_id": "/SUBSCRIPTIONS/F40A1F1D-F2C6-4444-92A6-XXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/MYRIGHT3", + "result": { + "description": "Private key is not specified in the specified X.509 PEM certificate content. Please specify private key in the X.509 PEM certificate content.", + "signature": "Bad Request", + "type": "Success" + } + } + }, + "cloud": { + "provider": "azure", + "service": { + "name": "Azure Key Vault" + } + }, + "http": { + "response": { + "status_code": 400 + } + }, + "related": { + "ip": [ + "147.161.0.0" + ], + "user": [ + "john.doe@dummy.onmicrosoft.com" + ] + }, + "source": { + "address": "147.161.0.0", + "ip": "147.161.0.0" + }, + "tls": { + "version": "TLS1_3" + }, + "url": { + "domain": "myright3.vault.azure.net", + "original": "https://myright3.vault.azure.net/certificates/mycertiii/import?api-version=7.0", + "path": "/certificates/mycertiii/import", + "port": 443, + "query": "api-version=7.0", + "registered_domain": "azure.net", + "scheme": "https", + "subdomain": "myright3.vault", + "top_level_domain": "net" + }, + "user": { + "name": "john.doe@dummy.onmicrosoft.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "os": { + "name": "Ubuntu" + }, + "version": "12.0" + } + } + + ``` + + +=== "test_event_certificate_import_1.json" + + ```json + + { + "message": "{\"time\": \"2024-04-08T15:13:06.9355325Z\", \"category\": \"AuditEvent\", \"operationName\": \"CertificateImport\", \"resultType\": \"Success\", \"correlationId\": \"fa80015d-9a44-4786-bf2f-1024a83c63cd\", \"callerIpAddress\": \"147.161.0.0\", \"identity\": {\"claim\": {\"oid\": \"d4ba3e84-0444-4841-aaf7-XXXXXXXXXXXX\", \"appid\": \"3686488a-04fc-4d8a-b967-61f98ec41efe\", \"scp\": \"user_impersonation\", \"appidacr\": \"0\", \"xms_az_nwperimid\": [], \"upn\": \"john.doe@dummy.onmicrosoft.com\", \"ipaddr\": \"147.161.152.109\", \"unique_name\": \"john.doe@dummy.onmicrosoft.com\", \"amr\": \"pwd\"}}, \"properties\": {\"id\": \"https://myright3.vault.azure.net/certificates/yfuffuygu\", \"clientInfo\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0\", \"httpStatusCode\": 200, \"requestUri\": \"https://myright3.vault.azure.net/certificates/yfuffuygu/import?api-version=7.0\", \"isAccessPolicyMatch\": true, \"keyProperties\": {\"type\": \"RSA\", \"size\": 2048}, \"secretProperties\": {\"type\": \"application/x-pkcs12\"}, \"certificateProperties\": {\"attributes\": {\"enabled\": true}, \"subject\": \"E=eff@ee.com, CN=sss, OU=cc, O=ffbb, L=bbdd, S=aabb, C=FR\", \"sha1\": \"8C593C21ABB940F7D334F927011B30519B2388BB\", \"sha256\": \"77C4C074B22B1DC59D4071128115BD43AE8FF4ABD1C539E0F0416E46BF037A4D\", \"nbf\": \"2024-04-08T15:09:12+00:00\", \"exp\": \"2027-01-03T15:09:12+00:00\"}, \"certificatePolicyProperties\": {\"secretProperties\": {\"type\": \"application/x-pkcs12\"}}, \"tlsVersion\": \"TLS1_3\"}, \"resourceId\": \"/SUBSCRIPTIONS/F40A1F1D-F2C6-4444-92A6-XXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/MYRIGHT3\", \"operationVersion\": \"7.0\", \"resultSignature\": \"OK\", \"durationMs\": \"222\"}", + "event": { + "action": "CertificateImport", + "category": [ + "database" + ], + "dataset": "keyvault", + "outcome": "success", + "type": [ + "access" + ] + }, + "@timestamp": "2024-04-08T15:13:06.935532Z", + "azure": { + "key_vault": { + "correlation_id": "fa80015d-9a44-4786-bf2f-1024a83c63cd", + "identity": { + "claim": { + "amr": "pwd", + "appid": "3686488a-04fc-4d8a-b967-61f98ec41efe", + "ipaddr": "147.161.152.109", + "oid": "d4ba3e84-0444-4841-aaf7-XXXXXXXXXXXX", + "scp": "user_impersonation", + "unique_name": "john.doe@dummy.onmicrosoft.com" + } + }, + "properties": { + "clientInfo": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "id": "https://myright3.vault.azure.net/certificates/yfuffuygu", + "isAccessPolicyMatch": true, + "keyProperties": { + "type": "RSA" + }, + "secretProperties": { + "type": "application/x-pkcs12" + } + }, + "resource_id": "/SUBSCRIPTIONS/F40A1F1D-F2C6-4444-92A6-XXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/MYRIGHT3", + "result": { + "signature": "OK", + "type": "Success" + } + } + }, + "cloud": { + "provider": "azure", + "service": { + "name": "Azure Key Vault" + } + }, + "http": { + "response": { + "status_code": 200 + } + }, + "related": { + "ip": [ + "147.161.0.0" + ], + "user": [ + "john.doe@dummy.onmicrosoft.com" + ] + }, + "source": { + "address": "147.161.0.0", + "ip": "147.161.0.0" + }, + "tls": { + "version": "TLS1_3" + }, + "url": { + "domain": "myright3.vault.azure.net", + "original": "https://myright3.vault.azure.net/certificates/yfuffuygu/import?api-version=7.0", + "path": "/certificates/yfuffuygu/import", + "port": 443, + "query": "api-version=7.0", + "registered_domain": "azure.net", + "scheme": "https", + "subdomain": "myright3.vault", + "top_level_domain": "net" + }, + "user": { + "name": "john.doe@dummy.onmicrosoft.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "os": { + "name": "Ubuntu" + }, + "version": "12.0" + } + } + + ``` + + +=== "test_event_certificate_update.json" + + ```json + + { + "message": "{\"time\": \"2024-04-04T06:49:04.5484056Z\", \"category\": \"AuditEvent\", \"operationName\": \"CertificateUpdate\", \"resultType\": \"Success\", \"correlationId\": \"0beabe33-25ee-4b8f-91de-4c7e47645d7b\", \"callerIpAddress\": \"147.161.246.101\", \"identity\": {\"claim\": {\"oid\": \"d4ba3e84-0444-4841-aaf7-XXXXXX\", \"appid\": \"3686488a-04fc-4d8a-b967-61f98ec41efe\", \"scp\": \"user_impersonation\", \"appidacr\": \"0\", \"xms_az_nwperimid\": [], \"upn\": \"john.doe@dummy.onmicrosoft.com\", \"ipaddr\": \"147.161.0.0\", \"unique_name\": \"john.doe@dummy.onmicrosoft.com\", \"amr\": \"pwd\"}}, \"properties\": {\"id\": \"https://testpermissionvault.vault.azure.net/certificates/fdfdffffd/2b5dd56d53254413811cb3d3ea2529f1\", \"clientInfo\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64)Firefox/12.0\", \"httpStatusCode\": 200, \"requestUri\": \"https://testpermissionvault.vault.azure.net/certificates/fdfdffffd/2b5dd56d53254413811cb3d3ea2529f1?api-version=7.0\", \"isAccessPolicyMatch\": true, \"tlsVersion\": \"TLS1_3\"}, \"resourceId\": \"/SUBSCRIPTIONS/F40A1F1D-F2C6-4444-92A6-93068B9DE034/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT\", \"operationVersion\": \"7.0\", \"resultSignature\": \"OK\", \"durationMs\": \"92\"}", + "event": { + "action": "CertificateUpdate", + "category": [ + "database" + ], + "dataset": "keyvault", + "outcome": "success", + "type": [ + "access" + ] + }, + "@timestamp": "2024-04-04T06:49:04.548405Z", + "azure": { + "key_vault": { + "correlation_id": "0beabe33-25ee-4b8f-91de-4c7e47645d7b", + "identity": { + "claim": { + "amr": "pwd", + "appid": "3686488a-04fc-4d8a-b967-61f98ec41efe", + "ipaddr": "147.161.0.0", + "oid": "d4ba3e84-0444-4841-aaf7-XXXXXX", + "scp": "user_impersonation", + "unique_name": "john.doe@dummy.onmicrosoft.com" + } + }, + "properties": { + "clientInfo": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64)Firefox/12.0", + "id": "https://testpermissionvault.vault.azure.net/certificates/fdfdffffd/2b5dd56d53254413811cb3d3ea2529f1", + "isAccessPolicyMatch": true + }, + "resource_id": "/SUBSCRIPTIONS/F40A1F1D-F2C6-4444-92A6-93068B9DE034/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT", + "result": { + "signature": "OK", + "type": "Success" + } + } + }, + "cloud": { + "provider": "azure", + "service": { + "name": "Azure Key Vault" + } + }, + "http": { + "response": { + "status_code": 200 + } + }, + "related": { + "ip": [ + "147.161.246.101" + ], + "user": [ + "john.doe@dummy.onmicrosoft.com" + ] + }, + "source": { + "address": "147.161.246.101", + "ip": "147.161.246.101" + }, + "tls": { + "version": "TLS1_3" + }, + "url": { + "domain": "testpermissionvault.vault.azure.net", + "original": "https://testpermissionvault.vault.azure.net/certificates/fdfdffffd/2b5dd56d53254413811cb3d3ea2529f1?api-version=7.0", + "path": "/certificates/fdfdffffd/2b5dd56d53254413811cb3d3ea2529f1", + "port": 443, + "query": "api-version=7.0", + "registered_domain": "azure.net", + "scheme": "https", + "subdomain": "testpermissionvault.vault", + "top_level_domain": "net" + }, + "user": { + "name": "john.doe@dummy.onmicrosoft.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64)Firefox/12.0", + "os": { + "name": "Ubuntu" + }, + "version": "12.0" + } + } + + ``` + + +=== "test_event_key_backup.json" + + ```json + + { + "message": "{\"time\": \"2024-04-04T06:47:31.2803447Z\", \"category\": \"AuditEvent\", \"operationName\": \"KeyBackup\", \"resultType\": \"Success\", \"correlationId\": \"49c05377-7187-4f18-8374-0e101bba261d\", \"callerIpAddress\": \"147.161.0.0\", \"identity\": {\"claim\": {\"oid\": \"d4ba3e84-0444-4841-aaf7-XXXXXX\", \"appid\": \"3686488a-04fc-4d8a-b967-61f98ec41efe\", \"scp\": \"user_impersonation\", \"appidacr\": \"0\", \"xms_az_nwperimid\": [], \"upn\": \"john.doe@dummy.onmicrosoft.com\", \"ipaddr\": \"147.161.0.0\", \"unique_name\": \"john.doe@dummy.onmicrosoft.com\", \"amr\": \"pwd\"}}, \"properties\": {\"id\": \"https://testpermissionvault.vault.azure.net/keys/egzghfgrrg\", \"clientInfo\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0\", \"httpStatusCode\": 200, \"requestUri\": \"https://testpermissionvault.vault.azure.net/keys/egzghfgrrg/backup?api-version=7.3\", \"isAccessPolicyMatch\": true, \"keyProperties\": {\"type\": \"RSA\", \"attributes\": {\"hsmPlatform\": \"0\"}}, \"tlsVersion\": \"TLS1_3\"}, \"resourceId\": \"/SUBSCRIPTIONS/F40a1f1d-f2c6-4444-92a6-XXXXXXXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT\", \"operationVersion\": \"7.3\", \"resultSignature\": \"OK\", \"durationMs\": \"46\"}", + "event": { + "action": "KeyBackup", + "category": [ + "database" + ], + "dataset": "keyvault", + "outcome": "success", + "type": [ + "access" + ] + }, + "@timestamp": "2024-04-04T06:47:31.280344Z", + "azure": { + "key_vault": { + "correlation_id": "49c05377-7187-4f18-8374-0e101bba261d", + "identity": { + "claim": { + "amr": "pwd", + "appid": "3686488a-04fc-4d8a-b967-61f98ec41efe", + "ipaddr": "147.161.0.0", + "oid": "d4ba3e84-0444-4841-aaf7-XXXXXX", + "scp": "user_impersonation", + "unique_name": "john.doe@dummy.onmicrosoft.com" + } + }, + "properties": { + "clientInfo": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "id": "https://testpermissionvault.vault.azure.net/keys/egzghfgrrg", + "isAccessPolicyMatch": true, + "keyProperties": { + "type": "RSA" + } + }, + "resource_id": "/SUBSCRIPTIONS/F40a1f1d-f2c6-4444-92a6-XXXXXXXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT", + "result": { + "signature": "OK", + "type": "Success" + } + } + }, + "cloud": { + "provider": "azure", + "service": { + "name": "Azure Key Vault" + } + }, + "http": { + "response": { + "status_code": 200 + } + }, + "related": { + "ip": [ + "147.161.0.0" + ], + "user": [ + "john.doe@dummy.onmicrosoft.com" + ] + }, + "source": { + "address": "147.161.0.0", + "ip": "147.161.0.0" + }, + "tls": { + "version": "TLS1_3" + }, + "url": { + "domain": "testpermissionvault.vault.azure.net", + "original": "https://testpermissionvault.vault.azure.net/keys/egzghfgrrg/backup?api-version=7.3", + "path": "/keys/egzghfgrrg/backup", + "port": 443, + "query": "api-version=7.3", + "registered_domain": "azure.net", + "scheme": "https", + "subdomain": "testpermissionvault.vault", + "top_level_domain": "net" + }, + "user": { + "name": "john.doe@dummy.onmicrosoft.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "os": { + "name": "Ubuntu" + }, + "version": "12.0" + } + } + + ``` + + +=== "test_event_key_delete.json" + + ```json + + { + "message": "{\"time\": \"2024-04-04T06:47:34.7178619Z\", \"category\": \"AuditEvent\", \"operationName\": \"KeyDelete\", \"resultType\": \"Success\", \"correlationId\": \"1822451f-ce87-4d9e-96bc-a723af8b5748\", \"callerIpAddress\": \"147.161.0.0\", \"identity\": {\"claim\": {\"oid\": \"d4ba3e84-0444-4841-aaf7-XXXXXX\", \"appid\": \"3686488a-04fc-4d8a-b967-61f98ec41efe\", \"scp\": \"user_impersonation\", \"appidacr\": \"0\", \"xms_az_nwperimid\": [], \"upn\": \"john.doe@dummy.onmicrosoft.com\", \"ipaddr\": \"147.161.0.0\", \"unique_name\": \"john.doe@dummy.onmicrosoft.com\", \"amr\": \"pwd\"}}, \"properties\": {\"id\": \"https://testpermissionvault.vault.azure.net/keys/egzghfgrrg\", \"clientInfo\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0\", \"httpStatusCode\": 200, \"requestUri\": \"https://testpermissionvault.vault.azure.net/keys/egzghfgrrg?api-version=7.3\", \"isAccessPolicyMatch\": true, \"keyProperties\": {\"type\": \"RSA\", \"attributes\": {\"hsmPlatform\": \"0\"}}, \"tlsVersion\": \"TLS1_3\"}, \"resourceId\": \"/SUBSCRIPTIONS/F40a1f1d-f2c6-4444-92a6-XXXXXXXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT\", \"operationVersion\": \"7.3\", \"resultSignature\": \"OK\", \"durationMs\": \"44\"}", + "event": { + "action": "KeyDelete", + "category": [ + "database" + ], + "dataset": "keyvault", + "outcome": "success", + "type": [ + "access" + ] + }, + "@timestamp": "2024-04-04T06:47:34.717861Z", + "azure": { + "key_vault": { + "correlation_id": "1822451f-ce87-4d9e-96bc-a723af8b5748", + "identity": { + "claim": { + "amr": "pwd", + "appid": "3686488a-04fc-4d8a-b967-61f98ec41efe", + "ipaddr": "147.161.0.0", + "oid": "d4ba3e84-0444-4841-aaf7-XXXXXX", + "scp": "user_impersonation", + "unique_name": "john.doe@dummy.onmicrosoft.com" + } + }, + "properties": { + "clientInfo": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "id": "https://testpermissionvault.vault.azure.net/keys/egzghfgrrg", + "isAccessPolicyMatch": true, + "keyProperties": { + "type": "RSA" + } + }, + "resource_id": "/SUBSCRIPTIONS/F40a1f1d-f2c6-4444-92a6-XXXXXXXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT", + "result": { + "signature": "OK", + "type": "Success" + } + } + }, + "cloud": { + "provider": "azure", + "service": { + "name": "Azure Key Vault" + } + }, + "http": { + "response": { + "status_code": 200 + } + }, + "related": { + "ip": [ + "147.161.0.0" + ], + "user": [ + "john.doe@dummy.onmicrosoft.com" + ] + }, + "source": { + "address": "147.161.0.0", + "ip": "147.161.0.0" + }, + "tls": { + "version": "TLS1_3" + }, + "url": { + "domain": "testpermissionvault.vault.azure.net", + "original": "https://testpermissionvault.vault.azure.net/keys/egzghfgrrg?api-version=7.3", + "path": "/keys/egzghfgrrg", + "port": 443, + "query": "api-version=7.3", + "registered_domain": "azure.net", + "scheme": "https", + "subdomain": "testpermissionvault.vault", + "top_level_domain": "net" + }, + "user": { + "name": "john.doe@dummy.onmicrosoft.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "os": { + "name": "Ubuntu" + }, + "version": "12.0" + } + } + + ``` + + +=== "test_event_key_delete_1.json" + + ```json + + { + "message": "{\"time\": \"2024-04-04T06:47:34.7178619Z\", \"category\": \"AuditEvent\", \"operationName\": \"KeyDelete\", \"resultType\": \"Success\", \"correlationId\": \"1822451f-ce87-4d9e-96bc-a723af8b5748\", \"callerIpAddress\": \"147.161.0.0\", \"identity\": {\"claim\": {\"oid\": \"d4ba3e84-0444-4841-aaf7-XXXXXX\", \"appid\": \"3686488a-04fc-4d8a-b967-61f98ec41efe\", \"scp\": \"user_impersonation\", \"appidacr\": \"0\", \"xms_az_nwperimid\": [], \"upn\": \"john.doe@dummy.onmicrosoft.com\", \"ipaddr\": \"147.161.0.0\", \"unique_name\": \"john.doe@dummy.onmicrosoft.com\", \"amr\": \"pwd\"}}, \"properties\": {\"id\": \"https://testpermissionvault.vault.azure.net/keys/egzghfgrrg\", \"clientInfo\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0\", \"httpStatusCode\": 200, \"requestUri\": \"https://testpermissionvault.vault.azure.net/keys/egzghfgrrg?api-version=7.3\", \"isAccessPolicyMatch\": true, \"keyProperties\": {\"type\": \"RSA\", \"attributes\": {\"hsmPlatform\": \"0\"}}, \"tlsVersion\": \"TLS1_3\"}, \"resourceId\": \"/SUBSCRIPTIONS/F40a1f1d-f2c6-4444-92a6-XXXXXXXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT\", \"operationVersion\": \"7.3\", \"resultSignature\": \"OK\", \"durationMs\": \"44\"}", + "event": { + "action": "KeyDelete", + "category": [ + "database" + ], + "dataset": "keyvault", + "outcome": "success", + "type": [ + "access" + ] + }, + "@timestamp": "2024-04-04T06:47:34.717861Z", + "azure": { + "key_vault": { + "correlation_id": "1822451f-ce87-4d9e-96bc-a723af8b5748", + "identity": { + "claim": { + "amr": "pwd", + "appid": "3686488a-04fc-4d8a-b967-61f98ec41efe", + "ipaddr": "147.161.0.0", + "oid": "d4ba3e84-0444-4841-aaf7-XXXXXX", + "scp": "user_impersonation", + "unique_name": "john.doe@dummy.onmicrosoft.com" + } + }, + "properties": { + "clientInfo": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "id": "https://testpermissionvault.vault.azure.net/keys/egzghfgrrg", + "isAccessPolicyMatch": true, + "keyProperties": { + "type": "RSA" + } + }, + "resource_id": "/SUBSCRIPTIONS/F40a1f1d-f2c6-4444-92a6-XXXXXXXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT", + "result": { + "signature": "OK", + "type": "Success" + } + } + }, + "cloud": { + "provider": "azure", + "service": { + "name": "Azure Key Vault" + } + }, + "http": { + "response": { + "status_code": 200 + } + }, + "related": { + "ip": [ + "147.161.0.0" + ], + "user": [ + "john.doe@dummy.onmicrosoft.com" + ] + }, + "source": { + "address": "147.161.0.0", + "ip": "147.161.0.0" + }, + "tls": { + "version": "TLS1_3" + }, + "url": { + "domain": "testpermissionvault.vault.azure.net", + "original": "https://testpermissionvault.vault.azure.net/keys/egzghfgrrg?api-version=7.3", + "path": "/keys/egzghfgrrg", + "port": 443, + "query": "api-version=7.3", + "registered_domain": "azure.net", + "scheme": "https", + "subdomain": "testpermissionvault.vault", + "top_level_domain": "net" + }, + "user": { + "name": "john.doe@dummy.onmicrosoft.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "os": { + "name": "Ubuntu" + }, + "version": "12.0" + } + } + + ``` + + +=== "test_event_key_get.json" + + ```json + + { + "message": "{\"time\": \"2024-04-03T14:02:45.0948723Z\", \"category\": \"AuditEvent\", \"operationName\": \"KeyGet\", \"resultType\": \"Success\", \"resultDescription\": \"A key with (name/id) egzghfgrrg was not found in this key vault. If you recently deleted this key you may be able to recover it using the correct recovery command. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125182\", \"correlationId\": \"afabe187-cad6-4ca1-9698-e4ed73479b7c\", \"callerIpAddress\": \"147.161.0.0\", \"identity\": {\"claim\": {\"oid\": \"d4ba3e84-0444-4841-aaf7-XXXX\", \"appid\": \"3686488a-04fc-4d8a-b967-61f98ec41efe\", \"scp\": \"user_impersonation\", \"appidacr\": \"0\", \"xms_az_nwperimid\": [], \"upn\": \"john.doe@dummy.onmicrosoft.com\", \"ipaddr\": \"147.161.0.0\", \"unique_name\": \"john.doe@dummy.onmicrosoft.com\", \"amr\": \"pwd\"}}, \"properties\": {\"id\": \"https://testpermissionvault.vault.azure.net/keys/egzghfgrrg\", \"clientInfo\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0\", \"httpStatusCode\": 404, \"requestUri\": \"https://testpermissionvault.vault.azure.net/keys/egzghfgrrg?api-version=7.3&x-ms-include-der=true&_=1712126805788\", \"isAccessPolicyMatch\": true, \"tlsVersion\": \"TLS1_3\"}, \"resourceId\": \"/SUBSCRIPTIONS/F40A1F1D-F2C6-4444-XXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT\", \"operationVersion\": \"7.3\", \"resultSignature\": \"Not Found\", \"durationMs\": \"22\"}", + "event": { + "action": "KeyGet", + "category": [ + "database" + ], + "dataset": "keyvault", + "outcome": "success", + "type": [ + "access" + ] + }, + "@timestamp": "2024-04-03T14:02:45.094872Z", + "azure": { + "key_vault": { + "correlation_id": "afabe187-cad6-4ca1-9698-e4ed73479b7c", + "identity": { + "claim": { + "amr": "pwd", + "appid": "3686488a-04fc-4d8a-b967-61f98ec41efe", + "ipaddr": "147.161.0.0", + "oid": "d4ba3e84-0444-4841-aaf7-XXXX", + "scp": "user_impersonation", + "unique_name": "john.doe@dummy.onmicrosoft.com" + } + }, + "properties": { + "clientInfo": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "id": "https://testpermissionvault.vault.azure.net/keys/egzghfgrrg", + "isAccessPolicyMatch": true + }, + "resource_id": "/SUBSCRIPTIONS/F40A1F1D-F2C6-4444-XXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT", + "result": { + "description": "A key with (name/id) egzghfgrrg was not found in this key vault. If you recently deleted this key you may be able to recover it using the correct recovery command. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125182", + "signature": "Not Found", + "type": "Success" + } + } + }, + "cloud": { + "provider": "azure", + "service": { + "name": "Azure Key Vault" + } + }, + "http": { + "response": { + "status_code": 404 + } + }, + "related": { + "ip": [ + "147.161.0.0" + ], + "user": [ + "john.doe@dummy.onmicrosoft.com" + ] + }, + "source": { + "address": "147.161.0.0", + "ip": "147.161.0.0" + }, + "tls": { + "version": "TLS1_3" + }, + "url": { + "domain": "testpermissionvault.vault.azure.net", + "original": "https://testpermissionvault.vault.azure.net/keys/egzghfgrrg?api-version=7.3&x-ms-include-der=true&_=1712126805788", + "path": "/keys/egzghfgrrg", + "port": 443, + "query": "api-version=7.3&x-ms-include-der=true&_=1712126805788", + "registered_domain": "azure.net", + "scheme": "https", + "subdomain": "testpermissionvault.vault", + "top_level_domain": "net" + }, + "user": { + "name": "john.doe@dummy.onmicrosoft.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "os": { + "name": "Ubuntu" + }, + "version": "12.0" + } + } + + ``` + + +=== "test_event_key_get_1.json" + + ```json + + { + "message": "{\"time\": \"2024-04-04T06:47:42.7335214Z\", \"category\": \"AuditEvent\", \"operationName\": \"KeyGet\", \"resultType\": \"Success\", \"correlationId\": \"425dd404-f29a-4e68-9b88-2c3643b4462e\", \"callerIpAddress\": \"147.161.0.0\", \"identity\": {\"claim\": {\"oid\": \"d4ba3e84-0444-4841-aaf7-XXXXX\", \"appid\": \"3686488a-04fc-4d8a-b967-XXXXXXX\", \"scp\": \"user_impersonation\", \"appidacr\": \"0\", \"xms_az_nwperimid\": [], \"upn\": \"john.doe@dummy.onmicrosoft.com\", \"ipaddr\": \"147.161.0.0\", \"unique_name\": \"john.doe@dummy.onmicrosoft.com\", \"amr\": \"pwd\"}}, \"properties\": {\"id\": \"https://testpermissionvault.vault.azure.net/keys/MyFirstKey\", \"clientInfo\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0\", \"httpStatusCode\": 200, \"requestUri\": \"https://testpermissionvault.vault.azure.net/keys/MyFirstKey?api-version=7.3&x-ms-include-der=true&_=1712127259288\", \"isAccessPolicyMatch\": true, \"keyProperties\": {\"type\": \"RSA\", \"attributes\": {\"hsmPlatform\": \"0\"}}, \"tlsVersion\": \"TLS1_3\"}, \"resourceId\": \"/SUBSCRIPTIONS/F40A1F1D-F2C6-4444-92A6-XXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT\", \"operationVersion\": \"7.3\", \"resultSignature\": \"OK\", \"durationMs\": \"12\"}", + "event": { + "action": "KeyGet", + "category": [ + "database" + ], + "dataset": "keyvault", + "outcome": "success", + "type": [ + "access" + ] + }, + "@timestamp": "2024-04-04T06:47:42.733521Z", + "azure": { + "key_vault": { + "correlation_id": "425dd404-f29a-4e68-9b88-2c3643b4462e", + "identity": { + "claim": { + "amr": "pwd", + "appid": "3686488a-04fc-4d8a-b967-XXXXXXX", + "ipaddr": "147.161.0.0", + "oid": "d4ba3e84-0444-4841-aaf7-XXXXX", + "scp": "user_impersonation", + "unique_name": "john.doe@dummy.onmicrosoft.com" + } + }, + "properties": { + "clientInfo": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "id": "https://testpermissionvault.vault.azure.net/keys/MyFirstKey", + "isAccessPolicyMatch": true, + "keyProperties": { + "type": "RSA" + } + }, + "resource_id": "/SUBSCRIPTIONS/F40A1F1D-F2C6-4444-92A6-XXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT", + "result": { + "signature": "OK", + "type": "Success" + } + } + }, + "cloud": { + "provider": "azure", + "service": { + "name": "Azure Key Vault" + } + }, + "http": { + "response": { + "status_code": 200 + } + }, + "related": { + "ip": [ + "147.161.0.0" + ], + "user": [ + "john.doe@dummy.onmicrosoft.com" + ] + }, + "source": { + "address": "147.161.0.0", + "ip": "147.161.0.0" + }, + "tls": { + "version": "TLS1_3" + }, + "url": { + "domain": "testpermissionvault.vault.azure.net", + "original": "https://testpermissionvault.vault.azure.net/keys/MyFirstKey?api-version=7.3&x-ms-include-der=true&_=1712127259288", + "path": "/keys/MyFirstKey", + "port": 443, + "query": "api-version=7.3&x-ms-include-der=true&_=1712127259288", + "registered_domain": "azure.net", + "scheme": "https", + "subdomain": "testpermissionvault.vault", + "top_level_domain": "net" + }, + "user": { + "name": "john.doe@dummy.onmicrosoft.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "os": { + "name": "Ubuntu" + }, + "version": "12.0" + } + } + + ``` + + +=== "test_event_key_list.json" + + ```json + + { + "message": "{\"time\": \"2024-04-04T06:47:14.1959057Z\", \"category\": \"AuditEvent\", \"operationName\": \"KeyList\", \"resultType\": \"Success\", \"correlationId\": \"e6f5733d-2c7d-4d66-94bb-7d77a434a44c\", \"callerIpAddress\": \"147.161.0.0\", \"identity\": {\"claim\": {\"oid\": \"d4ba3e84-0444-4841-aaf7-XXXXXX\", \"appid\": \"3686488a-04fc-4d8a-b967-61f98ec41efe\", \"scp\": \"user_impersonation\", \"appidacr\": \"0\", \"xms_az_nwperimid\": [], \"upn\": \"john.doe@dummy.onmicrosoft.com\", \"ipaddr\": \"147.161.0.0\", \"unique_name\": \"john.doe@dummy.onmicrosoft.com\", \"amr\": \"pwd\"}}, \"properties\": {\"clientInfo\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0\", \"httpStatusCode\": 200, \"requestUri\": \"https://testpermissionvault.vault.azure.net/keys?api-version=7.3&maxresults=25&_=1712126805807\", \"isAccessPolicyMatch\": true, \"tlsVersion\": \"TLS1_3\"}, \"resourceId\": \"/SUBSCRIPTIONS/F40a1f1d-f2c6-4444-92a6-XXXXXXXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT\", \"operationVersion\": \"7.3\", \"resultSignature\": \"OK\", \"durationMs\": \"57\"}", + "event": { + "action": "KeyList", + "category": [ + "database" + ], + "dataset": "keyvault", + "outcome": "success", + "type": [ + "access" + ] + }, + "@timestamp": "2024-04-04T06:47:14.195905Z", + "azure": { + "key_vault": { + "correlation_id": "e6f5733d-2c7d-4d66-94bb-7d77a434a44c", + "identity": { + "claim": { + "amr": "pwd", + "appid": "3686488a-04fc-4d8a-b967-61f98ec41efe", + "ipaddr": "147.161.0.0", + "oid": "d4ba3e84-0444-4841-aaf7-XXXXXX", + "scp": "user_impersonation", + "unique_name": "john.doe@dummy.onmicrosoft.com" + } + }, + "properties": { + "clientInfo": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "isAccessPolicyMatch": true + }, + "resource_id": "/SUBSCRIPTIONS/F40a1f1d-f2c6-4444-92a6-XXXXXXXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT", + "result": { + "signature": "OK", + "type": "Success" + } + } + }, + "cloud": { + "provider": "azure", + "service": { + "name": "Azure Key Vault" + } + }, + "http": { + "response": { + "status_code": 200 + } + }, + "related": { + "ip": [ + "147.161.0.0" + ], + "user": [ + "john.doe@dummy.onmicrosoft.com" + ] + }, + "source": { + "address": "147.161.0.0", + "ip": "147.161.0.0" + }, + "tls": { + "version": "TLS1_3" + }, + "url": { + "domain": "testpermissionvault.vault.azure.net", + "original": "https://testpermissionvault.vault.azure.net/keys?api-version=7.3&maxresults=25&_=1712126805807", + "path": "/keys", + "port": 443, + "query": "api-version=7.3&maxresults=25&_=1712126805807", + "registered_domain": "azure.net", + "scheme": "https", + "subdomain": "testpermissionvault.vault", + "top_level_domain": "net" + }, + "user": { + "name": "john.doe@dummy.onmicrosoft.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "os": { + "name": "Ubuntu" + }, + "version": "12.0" + } + } + + ``` + + +=== "test_event_key_list_1.json" + + ```json + + { + "message": "{\"time\": \"2024-04-02T08:21:11.5722907Z\", \"category\": \"AuditEvent\", \"operationName\": \"KeyList\", \"resultType\": \"Success\", \"resultDescription\": \"Caller is not authorized to perform action on resource.\", \"correlationId\": \"4f1a71d0-6490-49dd-a720-1fa8adfef495\", \"callerIpAddress\": \"147.161.0.0\", \"identity\": {\"claim\": {\"oid\": \"d4ba3e84-0444-4841-aaf7-XXXXX\", \"appid\": \"3686488a-04fc-4d8a-b967-61f98ec41efe\", \"scp\": \"user_impersonation\", \"appidacr\": \"0\", \"xms_az_nwperimid\": [], \"upn\": \"john.doe@dummy.onmicrosoft.com\", \"ipaddr\": \"147.161.0.0\", \"unique_name\": \"john.doe@dummy.onmicrosoft.com\", \"amr\": \"pwd\"}}, \"properties\": {\"clientInfo\": \"3686488a-04fc-4d8a-b967-61f98ec41efe\", \"httpStatusCode\": 403, \"requestUri\": \"https://keytestint.vault.azure.net/keys?api-version=7.3&maxresults=25&_=1712042263953\", \"isRbacAuthorized\": false, \"tlsVersion\": \"TLS1_3\"}, \"resourceId\": \"/SUBSCRIPTIONS/F40A1F1D-F2C6-4444-XXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/KEYTESTINT\", \"operationVersion\": \"7.3\", \"resultSignature\": \"Forbidden\", \"durationMs\": \"22\"}", + "event": { + "action": "KeyList", + "category": [ + "database" + ], + "dataset": "keyvault", + "outcome": "failure", + "type": [ + "access" + ] + }, + "@timestamp": "2024-04-02T08:21:11.572290Z", + "azure": { + "key_vault": { + "correlation_id": "4f1a71d0-6490-49dd-a720-1fa8adfef495", + "identity": { + "claim": { + "amr": "pwd", + "appid": "3686488a-04fc-4d8a-b967-61f98ec41efe", + "ipaddr": "147.161.0.0", + "oid": "d4ba3e84-0444-4841-aaf7-XXXXX", + "scp": "user_impersonation", + "unique_name": "john.doe@dummy.onmicrosoft.com" + } + }, + "properties": { + "clientInfo": "3686488a-04fc-4d8a-b967-61f98ec41efe" + }, + "resource_id": "/SUBSCRIPTIONS/F40A1F1D-F2C6-4444-XXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/KEYTESTINT", + "result": { + "description": "Caller is not authorized to perform action on resource.", + "signature": "Forbidden", + "type": "Success" + } + } + }, + "cloud": { + "provider": "azure", + "service": { + "name": "Azure Key Vault" + } + }, + "http": { + "response": { + "status_code": 403 + } + }, + "related": { + "ip": [ + "147.161.0.0" + ], + "user": [ + "john.doe@dummy.onmicrosoft.com" + ] + }, + "source": { + "address": "147.161.0.0", + "ip": "147.161.0.0" + }, + "tls": { + "version": "TLS1_3" + }, + "url": { + "domain": "keytestint.vault.azure.net", + "original": "https://keytestint.vault.azure.net/keys?api-version=7.3&maxresults=25&_=1712042263953", + "path": "/keys", + "port": 443, + "query": "api-version=7.3&maxresults=25&_=1712042263953", + "registered_domain": "azure.net", + "scheme": "https", + "subdomain": "keytestint.vault", + "top_level_domain": "net" + }, + "user": { + "name": "john.doe@dummy.onmicrosoft.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "3686488a-04fc-4d8a-b967-61f98ec41efe", + "os": { + "name": "Other" + } + } + } + + ``` + + +=== "test_event_key_list_deleted.json" + + ```json + + { + "message": "{\"time\": \"2024-04-04T06:47:38.2178774Z\", \"category\": \"AuditEvent\", \"operationName\": \"KeyListDeleted\", \"resultType\": \"Success\", \"correlationId\": \"733c65c4-338c-4ef5-9d95-25ae18b46fda\", \"callerIpAddress\": \"147.161.0.0\", \"identity\": {\"claim\": {\"oid\": \"d4ba3e84-0444-4841-aaf7-XXXXXX\", \"appid\": \"3686488a-04fc-4d8a-b967-61f98ec41efe\", \"scp\": \"user_impersonation\", \"appidacr\": \"0\", \"xms_az_nwperimid\": [], \"upn\": \"john.doe@dummy.onmicrosoft.com\", \"ipaddr\": \"147.161.0.0\", \"unique_name\": \"john.doe@dummy.onmicrosoft.com\", \"amr\": \"pwd\"}}, \"properties\": {\"clientInfo\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0\", \"httpStatusCode\": 200, \"requestUri\": \"https://testpermissionvault.vault.azure.net/deletedkeys?api-version=7.0\", \"isAccessPolicyMatch\": true, \"tlsVersion\": \"TLS1_3\"}, \"resourceId\": \"/SUBSCRIPTIONS/F40a1f1d-f2c6-4444-92a6-XXXXXXXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT\", \"operationVersion\": \"7.0\", \"resultSignature\": \"OK\", \"durationMs\": \"46\"}", + "event": { + "action": "KeyListDeleted", + "category": [ + "database" + ], + "dataset": "keyvault", + "outcome": "success", + "type": [ + "access" + ] + }, + "@timestamp": "2024-04-04T06:47:38.217877Z", + "azure": { + "key_vault": { + "correlation_id": "733c65c4-338c-4ef5-9d95-25ae18b46fda", + "identity": { + "claim": { + "amr": "pwd", + "appid": "3686488a-04fc-4d8a-b967-61f98ec41efe", + "ipaddr": "147.161.0.0", + "oid": "d4ba3e84-0444-4841-aaf7-XXXXXX", + "scp": "user_impersonation", + "unique_name": "john.doe@dummy.onmicrosoft.com" + } + }, + "properties": { + "clientInfo": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "isAccessPolicyMatch": true + }, + "resource_id": "/SUBSCRIPTIONS/F40a1f1d-f2c6-4444-92a6-XXXXXXXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT", + "result": { + "signature": "OK", + "type": "Success" + } + } + }, + "cloud": { + "provider": "azure", + "service": { + "name": "Azure Key Vault" + } + }, + "http": { + "response": { + "status_code": 200 + } + }, + "related": { + "ip": [ + "147.161.0.0" + ], + "user": [ + "john.doe@dummy.onmicrosoft.com" + ] + }, + "source": { + "address": "147.161.0.0", + "ip": "147.161.0.0" + }, + "tls": { + "version": "TLS1_3" + }, + "url": { + "domain": "testpermissionvault.vault.azure.net", + "original": "https://testpermissionvault.vault.azure.net/deletedkeys?api-version=7.0", + "path": "/deletedkeys", + "port": 443, + "query": "api-version=7.0", + "registered_domain": "azure.net", + "scheme": "https", + "subdomain": "testpermissionvault.vault", + "top_level_domain": "net" + }, + "user": { + "name": "john.doe@dummy.onmicrosoft.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "os": { + "name": "Ubuntu" + }, + "version": "12.0" + } + } + + ``` + + +=== "test_event_key_list_versions.json" + + ```json + + { + "message": "{\"time\": \"2024-04-04T06:47:28.1709577Z\", \"category\": \"AuditEvent\", \"operationName\": \"KeyListVersions\", \"resultType\": \"Success\", \"correlationId\": \"e8f90224-0296-424e-99ba-c5dd9870d362\", \"callerIpAddress\": \"147.161.0.0\", \"identity\": {\"claim\": {\"oid\": \"d4ba3e84-0444-4841-aaf7-XXXXXX\", \"appid\": \"3686488a-04fc-4d8a-b967-61f98ec41efe\", \"scp\": \"user_impersonation\", \"appidacr\": \"0\", \"xms_az_nwperimid\": [], \"upn\": \"john.doe@dummy.onmicrosoft.com\", \"ipaddr\": \"147.161.0.0\", \"unique_name\": \"john.doe@dummy.onmicrosoft.com\", \"amr\": \"pwd\"}}, \"properties\": {\"id\": \"https://testpermissionvault.vault.azure.net/keys/egzghfgrrg\", \"clientInfo\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0\", \"httpStatusCode\": 200, \"requestUri\": \"https://testpermissionvault.vault.azure.net/keys/egzghfgrrg/versions?api-version=7.3&maxresults=25&_=1712127259287\", \"isAccessPolicyMatch\": true, \"tlsVersion\": \"TLS1_3\"}, \"resourceId\": \"/SUBSCRIPTIONS/F40a1f1d-f2c6-4444-92a6-XXXXXXXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT\", \"operationVersion\": \"7.3\", \"resultSignature\": \"OK\", \"durationMs\": \"18\"}", + "event": { + "action": "KeyListVersions", + "category": [ + "database" + ], + "dataset": "keyvault", + "outcome": "success", + "type": [ + "access" + ] + }, + "@timestamp": "2024-04-04T06:47:28.170957Z", + "azure": { + "key_vault": { + "correlation_id": "e8f90224-0296-424e-99ba-c5dd9870d362", + "identity": { + "claim": { + "amr": "pwd", + "appid": "3686488a-04fc-4d8a-b967-61f98ec41efe", + "ipaddr": "147.161.0.0", + "oid": "d4ba3e84-0444-4841-aaf7-XXXXXX", + "scp": "user_impersonation", + "unique_name": "john.doe@dummy.onmicrosoft.com" + } + }, + "properties": { + "clientInfo": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "id": "https://testpermissionvault.vault.azure.net/keys/egzghfgrrg", + "isAccessPolicyMatch": true + }, + "resource_id": "/SUBSCRIPTIONS/F40a1f1d-f2c6-4444-92a6-XXXXXXXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT", + "result": { + "signature": "OK", + "type": "Success" + } + } + }, + "cloud": { + "provider": "azure", + "service": { + "name": "Azure Key Vault" + } + }, + "http": { + "response": { + "status_code": 200 + } + }, + "related": { + "ip": [ + "147.161.0.0" + ], + "user": [ + "john.doe@dummy.onmicrosoft.com" + ] + }, + "source": { + "address": "147.161.0.0", + "ip": "147.161.0.0" + }, + "tls": { + "version": "TLS1_3" + }, + "url": { + "domain": "testpermissionvault.vault.azure.net", + "original": "https://testpermissionvault.vault.azure.net/keys/egzghfgrrg/versions?api-version=7.3&maxresults=25&_=1712127259287", + "path": "/keys/egzghfgrrg/versions", + "port": 443, + "query": "api-version=7.3&maxresults=25&_=1712127259287", + "registered_domain": "azure.net", + "scheme": "https", + "subdomain": "testpermissionvault.vault", + "top_level_domain": "net" + }, + "user": { + "name": "john.doe@dummy.onmicrosoft.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "os": { + "name": "Ubuntu" + }, + "version": "12.0" + } + } + + ``` + + +=== "test_event_key_purge.json" + + ```json + + { + "message": "{\"time\": \"2024-04-04T06:47:52.0502260Z\", \"category\": \"AuditEvent\", \"operationName\": \"KeyPurge\", \"resultType\": \"Success\", \"resultDescription\": \"The user, group or application 'appid=3686488a-04fc-4d8a-b967-61f98ec41efe;oid=d4ba3e84-0444-4841-aaf7-XXXXXX;numgroups=2;iss=https://sts.windows.net/d91d59da-80cd-4224-baef-XXXXXXXX/' does not have keys purge permission on key vault 'testPermissionVault;location=francecentral'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287\", \"correlationId\": \"3cff8050-bd18-4acd-94ba-c6196ffa3ad4\", \"callerIpAddress\": \"147.161.0.0\", \"identity\": {\"claim\": {\"oid\": \"d4ba3e84-0444-4841-aaf7-XXXXXX\", \"appid\": \"3686488a-04fc-4d8a-b967-61f98ec41efe\", \"scp\": \"user_impersonation\", \"appidacr\": \"0\", \"xms_az_nwperimid\": [], \"upn\": \"john.doe@dummy.onmicrosoft.com\", \"ipaddr\": \"147.161.0.0\", \"unique_name\": \"john.doe@dummy.onmicrosoft.com\", \"amr\": \"pwd\"}}, \"properties\": {\"id\": \"https://testpermissionvault.vault.azure.net/deletedkeys/MyFirstKey\", \"clientInfo\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0\", \"httpStatusCode\": 403, \"requestUri\": \"https://testpermissionvault.vault.azure.net/deletedkeys/MyFirstKey?api-version=7.0\", \"isAccessPolicyMatch\": false, \"tlsVersion\": \"TLS1_3\"}, \"resourceId\": \"/SUBSCRIPTIONS/F40a1f1d-f2c6-4444-92a6-XXXXXXXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT\", \"operationVersion\": \"7.0\", \"resultSignature\": \"Forbidden\", \"durationMs\": \"4\"}", + "event": { + "action": "KeyPurge", + "category": [ + "database" + ], + "dataset": "keyvault", + "outcome": "failure", + "type": [ + "access" + ] + }, + "@timestamp": "2024-04-04T06:47:52.050226Z", + "azure": { + "key_vault": { + "correlation_id": "3cff8050-bd18-4acd-94ba-c6196ffa3ad4", + "identity": { + "claim": { + "amr": "pwd", + "appid": "3686488a-04fc-4d8a-b967-61f98ec41efe", + "ipaddr": "147.161.0.0", + "oid": "d4ba3e84-0444-4841-aaf7-XXXXXX", + "scp": "user_impersonation", + "unique_name": "john.doe@dummy.onmicrosoft.com" + } + }, + "properties": { + "clientInfo": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "id": "https://testpermissionvault.vault.azure.net/deletedkeys/MyFirstKey", + "isAccessPolicyMatch": false + }, + "resource_id": "/SUBSCRIPTIONS/F40a1f1d-f2c6-4444-92a6-XXXXXXXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT", + "result": { + "description": "The user, group or application 'appid=3686488a-04fc-4d8a-b967-61f98ec41efe;oid=d4ba3e84-0444-4841-aaf7-XXXXXX;numgroups=2;iss=https://sts.windows.net/d91d59da-80cd-4224-baef-XXXXXXXX/' does not have keys purge permission on key vault 'testPermissionVault;location=francecentral'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287", + "signature": "Forbidden", + "type": "Success" + } + } + }, + "cloud": { + "provider": "azure", + "service": { + "name": "Azure Key Vault" + } + }, + "http": { + "response": { + "status_code": 403 + } + }, + "related": { + "ip": [ + "147.161.0.0" + ], + "user": [ + "john.doe@dummy.onmicrosoft.com" + ] + }, + "source": { + "address": "147.161.0.0", + "ip": "147.161.0.0" + }, + "tls": { + "version": "TLS1_3" + }, + "url": { + "domain": "testpermissionvault.vault.azure.net", + "original": "https://testpermissionvault.vault.azure.net/deletedkeys/MyFirstKey?api-version=7.0", + "path": "/deletedkeys/MyFirstKey", + "port": 443, + "query": "api-version=7.0", + "registered_domain": "azure.net", + "scheme": "https", + "subdomain": "testpermissionvault.vault", + "top_level_domain": "net" + }, + "user": { + "name": "john.doe@dummy.onmicrosoft.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "os": { + "name": "Ubuntu" + }, + "version": "12.0" + } + } + + ``` + + +=== "test_event_key_purge_1.json" + + ```json + + { + "message": "{\"time\": \"2024-04-04T06:47:52.0502260Z\", \"category\": \"AuditEvent\", \"operationName\": \"KeyPurge\", \"resultType\": \"Success\", \"resultDescription\": \"The user, group or application 'appid=3686488a-04fc-4d8a-b967-XXXXXXX;oid=d4ba3e84-0444-4841-aaf7-XXXXX;numgroups=2;iss=https://sts.windows.net/d91d59da-80cd-4224-baef-10f72c103fc1/' does not have keys purge permission on key vault 'testPermissionVault;location=francecentral'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287\", \"correlationId\": \"3cff8050-bd18-4acd-94ba-c6196ffa3ad4\", \"callerIpAddress\": \"147.161.0.0\", \"identity\": {\"claim\": {\"oid\": \"d4ba3e84-0444-4841-aaf7-XXXXX\", \"appid\": \"3686488a-04fc-4d8a-b967-XXXXXXX\", \"scp\": \"user_impersonation\", \"appidacr\": \"0\", \"xms_az_nwperimid\": [], \"upn\": \"john.doe@dummy.onmicrosoft.com\", \"ipaddr\": \"147.161.0.0\", \"unique_name\": \"john.doe@dummy.onmicrosoft.com\", \"amr\": \"pwd\"}}, \"properties\": {\"id\": \"https://testpermissionvault.vault.azure.net/deletedkeys/MyFirstKey\", \"clientInfo\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0\", \"httpStatusCode\": 403, \"requestUri\": \"https://testpermissionvault.vault.azure.net/deletedkeys/MyFirstKey?api-version=7.0\", \"isAccessPolicyMatch\": false, \"tlsVersion\": \"TLS1_3\"}, \"resourceId\": \"/SUBSCRIPTIONS/F40A1F1D-F2C6-4444-92A6-XXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT\", \"operationVersion\": \"7.0\", \"resultSignature\": \"Forbidden\", \"durationMs\": \"4\"}", + "event": { + "action": "KeyPurge", + "category": [ + "database" + ], + "dataset": "keyvault", + "outcome": "failure", + "type": [ + "access" + ] + }, + "@timestamp": "2024-04-04T06:47:52.050226Z", + "azure": { + "key_vault": { + "correlation_id": "3cff8050-bd18-4acd-94ba-c6196ffa3ad4", + "identity": { + "claim": { + "amr": "pwd", + "appid": "3686488a-04fc-4d8a-b967-XXXXXXX", + "ipaddr": "147.161.0.0", + "oid": "d4ba3e84-0444-4841-aaf7-XXXXX", + "scp": "user_impersonation", + "unique_name": "john.doe@dummy.onmicrosoft.com" + } + }, + "properties": { + "clientInfo": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "id": "https://testpermissionvault.vault.azure.net/deletedkeys/MyFirstKey", + "isAccessPolicyMatch": false + }, + "resource_id": "/SUBSCRIPTIONS/F40A1F1D-F2C6-4444-92A6-XXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT", + "result": { + "description": "The user, group or application 'appid=3686488a-04fc-4d8a-b967-XXXXXXX;oid=d4ba3e84-0444-4841-aaf7-XXXXX;numgroups=2;iss=https://sts.windows.net/d91d59da-80cd-4224-baef-10f72c103fc1/' does not have keys purge permission on key vault 'testPermissionVault;location=francecentral'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287", + "signature": "Forbidden", + "type": "Success" + } + } + }, + "cloud": { + "provider": "azure", + "service": { + "name": "Azure Key Vault" + } + }, + "http": { + "response": { + "status_code": 403 + } + }, + "related": { + "ip": [ + "147.161.0.0" + ], + "user": [ + "john.doe@dummy.onmicrosoft.com" + ] + }, + "source": { + "address": "147.161.0.0", + "ip": "147.161.0.0" + }, + "tls": { + "version": "TLS1_3" + }, + "url": { + "domain": "testpermissionvault.vault.azure.net", + "original": "https://testpermissionvault.vault.azure.net/deletedkeys/MyFirstKey?api-version=7.0", + "path": "/deletedkeys/MyFirstKey", + "port": 443, + "query": "api-version=7.0", + "registered_domain": "azure.net", + "scheme": "https", + "subdomain": "testpermissionvault.vault", + "top_level_domain": "net" + }, + "user": { + "name": "john.doe@dummy.onmicrosoft.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "os": { + "name": "Ubuntu" + }, + "version": "12.0" + } + } + + ``` + + +=== "test_event_key_update.json" + + ```json + + { + "message": "{\"time\": \"2024-04-08T15:14:05.4057164Z\", \"category\": \"AuditEvent\", \"operationName\": \"KeyUpdate\", \"resultType\": \"Success\", \"correlationId\": \"bbd1b29d-5b8b-4639-9980-XXXXX\", \"callerIpAddress\": \"147.161.0.0\", \"identity\": {\"claim\": {\"oid\": \"d4ba3e84-0444-4841-aaf7-XXXXXXXXXXXX\", \"appid\": \"3686488a-04fc-4d8a-b967-61f98ec41efe\", \"scp\": \"user_impersonation\", \"appidacr\": \"0\", \"xms_az_nwperimid\": [], \"upn\": \"john.doe@dummy.onmicrosoft.com\", \"ipaddr\": \"147.161.152.109\", \"unique_name\": \"john.doe@dummy.onmicrosoft.com\", \"amr\": \"pwd\"}}, \"properties\": {\"id\": \"https://myright3.vault.azure.net/keys/iiii/c0d4c7ec6efb4fbeaec16a3872519399\", \"clientInfo\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0\", \"httpStatusCode\": 200, \"requestUri\": \"https://myright3.vault.azure.net/keys/iiii/c0d4c7ec6efb4fbeaec16a3872519399?api-version=7.3\", \"isAccessPolicyMatch\": true, \"keyProperties\": {\"type\": \"RSA\", \"operations\": [\"sign\", \"unwrapKey\", \"encrypt\", \"decrypt\"], \"attributes\": {\"enabled\": true, \"exp\": 1775660989, \"hsmPlatform\": \"0\"}}, \"tlsVersion\": \"TLS1_3\"}, \"resourceId\": \"/SUBSCRIPTIONS/F40A1F1D-F2C6-4444-92A6-XXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/MYRIGHT3\", \"operationVersion\": \"7.3\", \"resultSignature\": \"OK\", \"durationMs\": \"66\"}", + "event": { + "action": "KeyUpdate", + "category": [ + "database" + ], + "dataset": "keyvault", + "outcome": "success", + "type": [ + "access" + ] + }, + "@timestamp": "2024-04-08T15:14:05.405716Z", + "azure": { + "key_vault": { + "correlation_id": "bbd1b29d-5b8b-4639-9980-XXXXX", + "identity": { + "claim": { + "amr": "pwd", + "appid": "3686488a-04fc-4d8a-b967-61f98ec41efe", + "ipaddr": "147.161.152.109", + "oid": "d4ba3e84-0444-4841-aaf7-XXXXXXXXXXXX", + "scp": "user_impersonation", + "unique_name": "john.doe@dummy.onmicrosoft.com" + } + }, + "properties": { + "clientInfo": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "id": "https://myright3.vault.azure.net/keys/iiii/c0d4c7ec6efb4fbeaec16a3872519399", + "isAccessPolicyMatch": true, + "keyProperties": { + "type": "RSA" + } + }, + "resource_id": "/SUBSCRIPTIONS/F40A1F1D-F2C6-4444-92A6-XXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/MYRIGHT3", + "result": { + "signature": "OK", + "type": "Success" + } + } + }, + "cloud": { + "provider": "azure", + "service": { + "name": "Azure Key Vault" + } + }, + "http": { + "response": { + "status_code": 200 + } + }, + "related": { + "ip": [ + "147.161.0.0" + ], + "user": [ + "john.doe@dummy.onmicrosoft.com" + ] + }, + "source": { + "address": "147.161.0.0", + "ip": "147.161.0.0" + }, + "tls": { + "version": "TLS1_3" + }, + "url": { + "domain": "myright3.vault.azure.net", + "original": "https://myright3.vault.azure.net/keys/iiii/c0d4c7ec6efb4fbeaec16a3872519399?api-version=7.3", + "path": "/keys/iiii/c0d4c7ec6efb4fbeaec16a3872519399", + "port": 443, + "query": "api-version=7.3", + "registered_domain": "azure.net", + "scheme": "https", + "subdomain": "myright3.vault", + "top_level_domain": "net" + }, + "user": { + "name": "john.doe@dummy.onmicrosoft.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "os": { + "name": "Ubuntu" + }, + "version": "12.0" + } + } + + ``` + + +=== "test_event_secret_backup.json" + + ```json + + { + "message": "{\n \"time\": \"2024-04-04T06:43:32.2816869Z\",\n \"category\": \"AuditEvent\",\n \"operationName\": \"SecretBackup\",\n \"resultType\": \"Success\",\n \"correlationId\": \"1062c64b-12ce-4202-aa9f-c60599f19b29\",\n \"callerIpAddress\": \"147.161.0.0\",\n \"identity\": {\n \"claim\": {\n \"oid\": \"d4ba3e84-0444-4841-aaf7-XXXXXX\",\n \"appid\": \"3686488a-04fc-4d8a-b967-61f98ec41efe\",\n \"scp\": \"user_impersonation\",\n \"appidacr\": \"0\",\n \"xms_az_nwperimid\": [],\n \"upn\": \"john.doe@dummy.onmicrosoft.com\",\n \"ipaddr\": \"147.161.0.0\",\n \"unique_name\": \"john.doe@dummy.onmicrosoft.com\",\n \"amr\": \"pwd\"\n }\n },\n \"properties\": {\n \"id\": \"https://testpermissionvault.vault.azure.net/secrets/keykey\",\n \"clientInfo\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0\",\n \"httpStatusCode\": 200,\n \"requestUri\": \"https://testpermissionvault.vault.azure.net/secrets/keykey/backup?api-version=7.0\",\n \"isAccessPolicyMatch\": true,\n \"tlsVersion\": \"TLS1_3\"\n },\n \"resourceId\": \"/SUBSCRIPTIONS/F40a1f1d-f2c6-4444-92a6-XXXXXXXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT\",\n \"operationVersion\": \"7.0\",\n \"resultSignature\": \"OK\",\n \"durationMs\": \"43\"\n}", + "event": { + "action": "SecretBackup", + "category": [ + "database" + ], + "dataset": "keyvault", + "outcome": "success", + "type": [ + "access" + ] + }, + "@timestamp": "2024-04-04T06:43:32.281686Z", + "azure": { + "key_vault": { + "correlation_id": "1062c64b-12ce-4202-aa9f-c60599f19b29", + "identity": { + "claim": { + "amr": "pwd", + "appid": "3686488a-04fc-4d8a-b967-61f98ec41efe", + "ipaddr": "147.161.0.0", + "oid": "d4ba3e84-0444-4841-aaf7-XXXXXX", + "scp": "user_impersonation", + "unique_name": "john.doe@dummy.onmicrosoft.com" + } + }, + "properties": { + "clientInfo": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "id": "https://testpermissionvault.vault.azure.net/secrets/keykey", + "isAccessPolicyMatch": true + }, + "resource_id": "/SUBSCRIPTIONS/F40a1f1d-f2c6-4444-92a6-XXXXXXXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT", + "result": { + "signature": "OK", + "type": "Success" + } + } + }, + "cloud": { + "provider": "azure", + "service": { + "name": "Azure Key Vault" + } + }, + "http": { + "response": { + "status_code": 200 + } + }, + "related": { + "ip": [ + "147.161.0.0" + ], + "user": [ + "john.doe@dummy.onmicrosoft.com" + ] + }, + "source": { + "address": "147.161.0.0", + "ip": "147.161.0.0" + }, + "tls": { + "version": "TLS1_3" + }, + "url": { + "domain": "testpermissionvault.vault.azure.net", + "original": "https://testpermissionvault.vault.azure.net/secrets/keykey/backup?api-version=7.0", + "path": "/secrets/keykey/backup", + "port": 443, + "query": "api-version=7.0", + "registered_domain": "azure.net", + "scheme": "https", + "subdomain": "testpermissionvault.vault", + "top_level_domain": "net" + }, + "user": { + "name": "john.doe@dummy.onmicrosoft.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "os": { + "name": "Ubuntu" + }, + "version": "12.0" + } + } + + ``` + + +=== "test_event_secret_delete.json" + + ```json + + { + "message": "{\n \"time\": \"2024-04-04T06:43:43.7508346Z\",\n \"category\": \"AuditEvent\",\n \"operationName\": \"SecretDelete\",\n \"resultType\": \"Success\",\n \"correlationId\": \"7c8262f7-6f52-4887-8eb2-fa32ec32409a\",\n \"callerIpAddress\": \"147.161.0.0\",\n \"identity\": {\n \"claim\": {\n \"oid\": \"d4ba3e84-0444-4841-aaf7-XXXXXX\",\n \"appid\": \"3686488a-04fc-4d8a-b967-61f98ec41efe\",\n \"scp\": \"user_impersonation\",\n \"appidacr\": \"0\",\n \"xms_az_nwperimid\": [],\n \"upn\": \"john.doe@dummy.onmicrosoft.com\",\n \"ipaddr\": \"147.161.0.0\",\n \"unique_name\": \"john.doe@dummy.onmicrosoft.com\",\n \"amr\": \"pwd\"\n }\n },\n \"properties\": {\n \"id\": \"https://testpermissionvault.vault.azure.net/secrets/keykey\",\n \"clientInfo\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0\",\n \"httpStatusCode\": 200,\n \"requestUri\": \"https://testpermissionvault.vault.azure.net/secrets/keykey?api-version=7.0\",\n \"isAccessPolicyMatch\": true,\n \"tlsVersion\": \"TLS1_3\"\n },\n \"resourceId\": \"/SUBSCRIPTIONS/F40a1f1d-f2c6-4444-92a6-XXXXXXXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT\",\n \"operationVersion\": \"7.0\",\n \"resultSignature\": \"OK\",\n \"durationMs\": \"73\"\n}", + "event": { + "action": "SecretDelete", + "category": [ + "database" + ], + "dataset": "keyvault", + "outcome": "success", + "type": [ + "access" + ] + }, + "@timestamp": "2024-04-04T06:43:43.750834Z", + "azure": { + "key_vault": { + "correlation_id": "7c8262f7-6f52-4887-8eb2-fa32ec32409a", + "identity": { + "claim": { + "amr": "pwd", + "appid": "3686488a-04fc-4d8a-b967-61f98ec41efe", + "ipaddr": "147.161.0.0", + "oid": "d4ba3e84-0444-4841-aaf7-XXXXXX", + "scp": "user_impersonation", + "unique_name": "john.doe@dummy.onmicrosoft.com" + } + }, + "properties": { + "clientInfo": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "id": "https://testpermissionvault.vault.azure.net/secrets/keykey", + "isAccessPolicyMatch": true + }, + "resource_id": "/SUBSCRIPTIONS/F40a1f1d-f2c6-4444-92a6-XXXXXXXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT", + "result": { + "signature": "OK", + "type": "Success" + } + } + }, + "cloud": { + "provider": "azure", + "service": { + "name": "Azure Key Vault" + } + }, + "http": { + "response": { + "status_code": 200 + } + }, + "related": { + "ip": [ + "147.161.0.0" + ], + "user": [ + "john.doe@dummy.onmicrosoft.com" + ] + }, + "source": { + "address": "147.161.0.0", + "ip": "147.161.0.0" + }, + "tls": { + "version": "TLS1_3" + }, + "url": { + "domain": "testpermissionvault.vault.azure.net", + "original": "https://testpermissionvault.vault.azure.net/secrets/keykey?api-version=7.0", + "path": "/secrets/keykey", + "port": 443, + "query": "api-version=7.0", + "registered_domain": "azure.net", + "scheme": "https", + "subdomain": "testpermissionvault.vault", + "top_level_domain": "net" + }, + "user": { + "name": "john.doe@dummy.onmicrosoft.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "os": { + "name": "Ubuntu" + }, + "version": "12.0" + } + } + + ``` + + +=== "test_event_secret_get.json" + + ```json + + { + "message": "{\n \"time\": \"2024-04-03T14:08:43.4316531Z\",\n \"category\": \"AuditEvent\",\n \"operationName\": \"SecretGet\",\n \"resultType\": \"Success\",\n \"resultDescription\": \"A secret with (name/id) keykey was not found in this key vault. If you recently deleted this secret you may be able to recover it using the correct recovery command. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125182\",\n \"correlationId\": \"c86f2715-79c5-433f-937c-ed76ddde840c\",\n \"callerIpAddress\": \"147.161.0.0\",\n \"identity\": {\n \"claim\": {\n \"oid\": \"d4ba3e84-0444-4841-aaf7-XXXXXXXX\",\n \"appid\": \"3686488a-04fc-4d8a-b967-61f98ec41efe\",\n \"scp\": \"user_impersonation\",\n \"appidacr\": \"0\",\n \"xms_az_nwperimid\": [],\n \"upn\": \"john.doe@dummy.onmicrosoft.com\",\n \"ipaddr\": \"147.161.0.0\",\n \"unique_name\": \"john.doe@dummy.onmicrosoft.com\",\n \"amr\": \"pwd\"\n }\n },\n \"properties\": {\n \"id\": \"https://testpermissionvault.vault.azure.net/secrets/keykey\",\n \"clientInfo\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0\",\n \"httpStatusCode\": 404,\n \"requestUri\": \"https://testpermissionvault.vault.azure.net/secrets/keykey?api-version=7.0&_=1712126805801\",\n \"isAccessPolicyMatch\": true,\n \"tlsVersion\": \"TLS1_3\"\n },\n \"resourceId\": \"/SUBSCRIPTIONS/F40a1f1d-f2c6-4444-92a6-XXXXXXXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT\",\n \"operationVersion\": \"7.0\",\n \"resultSignature\": \"Not Found\",\n \"durationMs\": \"183\"\n}", + "event": { + "action": "SecretGet", + "category": [ + "database" + ], + "dataset": "keyvault", + "outcome": "success", + "type": [ + "access" + ] + }, + "@timestamp": "2024-04-03T14:08:43.431653Z", + "azure": { + "key_vault": { + "correlation_id": "c86f2715-79c5-433f-937c-ed76ddde840c", + "identity": { + "claim": { + "amr": "pwd", + "appid": "3686488a-04fc-4d8a-b967-61f98ec41efe", + "ipaddr": "147.161.0.0", + "oid": "d4ba3e84-0444-4841-aaf7-XXXXXXXX", + "scp": "user_impersonation", + "unique_name": "john.doe@dummy.onmicrosoft.com" + } + }, + "properties": { + "clientInfo": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "id": "https://testpermissionvault.vault.azure.net/secrets/keykey", + "isAccessPolicyMatch": true + }, + "resource_id": "/SUBSCRIPTIONS/F40a1f1d-f2c6-4444-92a6-XXXXXXXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT", + "result": { + "description": "A secret with (name/id) keykey was not found in this key vault. If you recently deleted this secret you may be able to recover it using the correct recovery command. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125182", + "signature": "Not Found", + "type": "Success" + } + } + }, + "cloud": { + "provider": "azure", + "service": { + "name": "Azure Key Vault" + } + }, + "http": { + "response": { + "status_code": 404 + } + }, + "related": { + "ip": [ + "147.161.0.0" + ], + "user": [ + "john.doe@dummy.onmicrosoft.com" + ] + }, + "source": { + "address": "147.161.0.0", + "ip": "147.161.0.0" + }, + "tls": { + "version": "TLS1_3" + }, + "url": { + "domain": "testpermissionvault.vault.azure.net", + "original": "https://testpermissionvault.vault.azure.net/secrets/keykey?api-version=7.0&_=1712126805801", + "path": "/secrets/keykey", + "port": 443, + "query": "api-version=7.0&_=1712126805801", + "registered_domain": "azure.net", + "scheme": "https", + "subdomain": "testpermissionvault.vault", + "top_level_domain": "net" + }, + "user": { + "name": "john.doe@dummy.onmicrosoft.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "os": { + "name": "Ubuntu" + }, + "version": "12.0" + } + } + + ``` + + +=== "test_event_secret_get_1.json" + + ```json + + { + "message": "{\n \"time\": \"2024-04-02T08:20:49.2681600Z\",\n \"category\": \"AuditEvent\",\n \"operationName\": \"SecretGet\",\n \"resultType\": \"Success\",\n \"resultDescription\": \"Caller is not authorized to perform action on resource.\\nIf role assignments, deny assignments or role definitions were changed recently, please observe propagation time.\\nCaller: appid=3686488a-04fc-4d8a-b967-XXXXX;oid=d4ba3e84-0444-4841-aaf7-XXXXX;iss=https://sts.windows.net/d91d59da-80cd-4224-baef-XXXXXXXX/\\nAction: 'Microsoft.KeyVault/vaults/secrets/getSecret/action'\\nResource: '/subscriptions/F40A1F1D-F2C6-4444-XXXX/resourcegroups/integration/providers/microsoft.keyvault/vaults/keytestint/secrets/a'\\nAssignment: (not found)\\nDenyAssignmentId: null\\nDecisionReason: null \\nVault: keyTestInt;location=francecentral\",\n \"correlationId\": \"1b3aa393-f142-4329-8b1f-c5222119ae35\",\n \"callerIpAddress\": \"147.161.0.0\",\n \"identity\": {\n \"claim\": {\n \"oid\": \"d4ba3e84-0444-4841-aaf7-XXXXX\",\n \"appid\": \"3686488a-04fc-4d8a-b967-61f98ec41efe\",\n \"scp\": \"user_impersonation\",\n \"appidacr\": \"0\",\n \"xms_az_nwperimid\": [],\n \"upn\": \"john.doe@dummy.onmicrosoft.com\",\n \"ipaddr\": \"147.161.0.0\",\n \"unique_name\": \"john.doe@dummy.onmicrosoft.com\",\n \"amr\": \"pwd\"\n }\n },\n \"properties\": {\n \"id\": \"https://keytestint.vault.azure.net/secrets/a\",\n \"clientInfo\": \"3686488a-04fc-4d8a-b967-61f98ec41efe\",\n \"httpStatusCode\": 403,\n \"requestUri\": \"https://keytestint.vault.azure.net/secrets/a?api-version=7.0&_=1712042263922\",\n \"isRbacAuthorized\": false,\n \"tlsVersion\": \"TLS1_3\"\n },\n \"resourceId\": \"/SUBSCRIPTIONS/F40A1F1D-F2C6-4444-XXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/KEYTESTINT\",\n \"operationVersion\": \"7.0\",\n \"resultSignature\": \"Forbidden\",\n \"durationMs\": \"27\"\n}", + "event": { + "action": "SecretGet", + "category": [ + "database" + ], + "dataset": "keyvault", + "outcome": "failure", + "type": [ + "access" + ] + }, + "@timestamp": "2024-04-02T08:20:49.268160Z", + "azure": { + "key_vault": { + "correlation_id": "1b3aa393-f142-4329-8b1f-c5222119ae35", + "identity": { + "claim": { + "amr": "pwd", + "appid": "3686488a-04fc-4d8a-b967-61f98ec41efe", + "ipaddr": "147.161.0.0", + "oid": "d4ba3e84-0444-4841-aaf7-XXXXX", + "scp": "user_impersonation", + "unique_name": "john.doe@dummy.onmicrosoft.com" + } + }, + "properties": { + "clientInfo": "3686488a-04fc-4d8a-b967-61f98ec41efe", + "id": "https://keytestint.vault.azure.net/secrets/a" + }, + "resource_id": "/SUBSCRIPTIONS/F40A1F1D-F2C6-4444-XXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/KEYTESTINT", + "result": { + "description": "Caller is not authorized to perform action on resource.\nIf role assignments, deny assignments or role definitions were changed recently, please observe propagation time.\nCaller: appid=3686488a-04fc-4d8a-b967-XXXXX;oid=d4ba3e84-0444-4841-aaf7-XXXXX;iss=https://sts.windows.net/d91d59da-80cd-4224-baef-XXXXXXXX/\nAction: 'Microsoft.KeyVault/vaults/secrets/getSecret/action'\nResource: '/subscriptions/F40A1F1D-F2C6-4444-XXXX/resourcegroups/integration/providers/microsoft.keyvault/vaults/keytestint/secrets/a'\nAssignment: (not found)\nDenyAssignmentId: null\nDecisionReason: null \nVault: keyTestInt;location=francecentral", + "signature": "Forbidden", + "type": "Success" + } + } + }, + "cloud": { + "provider": "azure", + "service": { + "name": "Azure Key Vault" + } + }, + "http": { + "response": { + "status_code": 403 + } + }, + "related": { + "ip": [ + "147.161.0.0" + ], + "user": [ + "john.doe@dummy.onmicrosoft.com" + ] + }, + "source": { + "address": "147.161.0.0", + "ip": "147.161.0.0" + }, + "tls": { + "version": "TLS1_3" + }, + "url": { + "domain": "keytestint.vault.azure.net", + "original": "https://keytestint.vault.azure.net/secrets/a?api-version=7.0&_=1712042263922", + "path": "/secrets/a", + "port": 443, + "query": "api-version=7.0&_=1712042263922", + "registered_domain": "azure.net", + "scheme": "https", + "subdomain": "keytestint.vault", + "top_level_domain": "net" + }, + "user": { + "name": "john.doe@dummy.onmicrosoft.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "3686488a-04fc-4d8a-b967-61f98ec41efe", + "os": { + "name": "Other" + } + } + } + + ``` + + +=== "test_event_secret_list.json" + + ```json + + { + "message": "{\n \"time\": \"2024-04-04T06:43:25.5941616Z\",\n \"category\": \"AuditEvent\",\n \"operationName\": \"SecretList\",\n \"resultType\": \"Success\",\n \"correlationId\": \"58127e84-c72e-4f7c-9cd6-a68b8a5da547\",\n \"callerIpAddress\": \"147.161.0.0\",\n \"identity\": {\n \"claim\": {\n \"oid\": \"d4ba3e84-0444-4841-aaf7-XXXXXX\",\n \"appid\": \"3686488a-04fc-4d8a-b967-61f98ec41efe\",\n \"scp\": \"user_impersonation\",\n \"appidacr\": \"0\",\n \"xms_az_nwperimid\": [],\n \"upn\": \"john.doe@dummy.onmicrosoft.com\",\n \"ipaddr\": \"147.161.0.0\",\n \"unique_name\": \"john.doe@dummy.onmicrosoft.com\",\n \"amr\": \"pwd\"\n }\n },\n \"properties\": {\n \"clientInfo\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0\",\n \"httpStatusCode\": 200,\n \"requestUri\": \"https://testpermissionvault.vault.azure.net/secrets?api-version=7.0&maxresults=25&_=1712127259280\",\n \"isAccessPolicyMatch\": true,\n \"tlsVersion\": \"TLS1_3\"\n },\n \"resourceId\": \"/SUBSCRIPTIONS/F40a1f1d-f2c6-4444-92a6-XXXXXXXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT\",\n \"operationVersion\": \"7.0\",\n \"resultSignature\": \"OK\",\n \"durationMs\": \"76\"\n}", + "event": { + "action": "SecretList", + "category": [ + "database" + ], + "dataset": "keyvault", + "outcome": "success", + "type": [ + "access" + ] + }, + "@timestamp": "2024-04-04T06:43:25.594161Z", + "azure": { + "key_vault": { + "correlation_id": "58127e84-c72e-4f7c-9cd6-a68b8a5da547", + "identity": { + "claim": { + "amr": "pwd", + "appid": "3686488a-04fc-4d8a-b967-61f98ec41efe", + "ipaddr": "147.161.0.0", + "oid": "d4ba3e84-0444-4841-aaf7-XXXXXX", + "scp": "user_impersonation", + "unique_name": "john.doe@dummy.onmicrosoft.com" + } + }, + "properties": { + "clientInfo": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "isAccessPolicyMatch": true + }, + "resource_id": "/SUBSCRIPTIONS/F40a1f1d-f2c6-4444-92a6-XXXXXXXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT", + "result": { + "signature": "OK", + "type": "Success" + } + } + }, + "cloud": { + "provider": "azure", + "service": { + "name": "Azure Key Vault" + } + }, + "http": { + "response": { + "status_code": 200 + } + }, + "related": { + "ip": [ + "147.161.0.0" + ], + "user": [ + "john.doe@dummy.onmicrosoft.com" + ] + }, + "source": { + "address": "147.161.0.0", + "ip": "147.161.0.0" + }, + "tls": { + "version": "TLS1_3" + }, + "url": { + "domain": "testpermissionvault.vault.azure.net", + "original": "https://testpermissionvault.vault.azure.net/secrets?api-version=7.0&maxresults=25&_=1712127259280", + "path": "/secrets", + "port": 443, + "query": "api-version=7.0&maxresults=25&_=1712127259280", + "registered_domain": "azure.net", + "scheme": "https", + "subdomain": "testpermissionvault.vault", + "top_level_domain": "net" + }, + "user": { + "name": "john.doe@dummy.onmicrosoft.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "os": { + "name": "Ubuntu" + }, + "version": "12.0" + } + } + + ``` + + +=== "test_event_secret_list_deleted.json" + + ```json + + { + "message": "{\n \"time\": \"2024-04-04T06:44:25.3013619Z\",\n \"category\": \"AuditEvent\",\n \"operationName\": \"SecretListDeleted\",\n \"resultType\": \"Success\",\n \"correlationId\": \"d5f5868e-5280-41ba-a2e8-17bb3740ec1e\",\n \"callerIpAddress\": \"147.161.0.0\",\n \"identity\": {\n \"claim\": {\n \"oid\": \"d4ba3e84-0444-4841-aaf7-XXXXXX\",\n \"appid\": \"3686488a-04fc-4d8a-b967-61f98ec41efe\",\n \"scp\": \"user_impersonation\",\n \"appidacr\": \"0\",\n \"xms_az_nwperimid\": [],\n \"upn\": \"john.doe@dummy.onmicrosoft.com\",\n \"ipaddr\": \"147.161.0.0\",\n \"unique_name\": \"john.doe@dummy.onmicrosoft.com\",\n \"amr\": \"pwd\"\n }\n },\n \"properties\": {\n \"clientInfo\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0\",\n \"httpStatusCode\": 200,\n \"requestUri\": \"https://testpermissionvault.vault.azure.net/deletedsecrets?api-version=7.0\",\n \"isAccessPolicyMatch\": true,\n \"tlsVersion\": \"TLS1_3\"\n },\n \"resourceId\": \"/SUBSCRIPTIONS/F40a1f1d-f2c6-4444-92a6-XXXXXXXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT\",\n \"operationVersion\": \"7.0\",\n \"resultSignature\": \"OK\",\n \"durationMs\": \"30\"\n}", + "event": { + "action": "SecretListDeleted", + "category": [ + "database" + ], + "dataset": "keyvault", + "outcome": "success", + "type": [ + "access" + ] + }, + "@timestamp": "2024-04-04T06:44:25.301361Z", + "azure": { + "key_vault": { + "correlation_id": "d5f5868e-5280-41ba-a2e8-17bb3740ec1e", + "identity": { + "claim": { + "amr": "pwd", + "appid": "3686488a-04fc-4d8a-b967-61f98ec41efe", + "ipaddr": "147.161.0.0", + "oid": "d4ba3e84-0444-4841-aaf7-XXXXXX", + "scp": "user_impersonation", + "unique_name": "john.doe@dummy.onmicrosoft.com" + } + }, + "properties": { + "clientInfo": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "isAccessPolicyMatch": true + }, + "resource_id": "/SUBSCRIPTIONS/F40a1f1d-f2c6-4444-92a6-XXXXXXXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT", + "result": { + "signature": "OK", + "type": "Success" + } + } + }, + "cloud": { + "provider": "azure", + "service": { + "name": "Azure Key Vault" + } + }, + "http": { + "response": { + "status_code": 200 + } + }, + "related": { + "ip": [ + "147.161.0.0" + ], + "user": [ + "john.doe@dummy.onmicrosoft.com" + ] + }, + "source": { + "address": "147.161.0.0", + "ip": "147.161.0.0" + }, + "tls": { + "version": "TLS1_3" + }, + "url": { + "domain": "testpermissionvault.vault.azure.net", + "original": "https://testpermissionvault.vault.azure.net/deletedsecrets?api-version=7.0", + "path": "/deletedsecrets", + "port": 443, + "query": "api-version=7.0", + "registered_domain": "azure.net", + "scheme": "https", + "subdomain": "testpermissionvault.vault", + "top_level_domain": "net" + }, + "user": { + "name": "john.doe@dummy.onmicrosoft.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "os": { + "name": "Ubuntu" + }, + "version": "12.0" + } + } + + ``` + + +=== "test_event_secret_purge.json" + + ```json + + { + "message": "{\n \"time\": \"2024-04-04T06:45:24.3756181Z\",\n \"category\": \"AuditEvent\",\n \"operationName\": \"SecretPurge\",\n \"resultType\": \"Success\",\n \"resultDescription\": \"The user, group or application 'appid=3686488a-04fc-4d8a-b967-61f98ec41efe;oid=d4ba3e84-0444-4841-aaf7-XXXXXX;numgroups=2;iss=https://sts.windows.net/d91d59da-80cd-4224-baef-XXXXXXXX/' does not have secrets purge permission on key vault 'testPermissionVault;location=francecentral'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287\",\n \"correlationId\": \"524974e7-1a6f-4a01-aded-a0b846311986\",\n \"callerIpAddress\": \"147.161.0.0\",\n \"identity\": {\n \"claim\": {\n \"oid\": \"d4ba3e84-0444-4841-aaf7-XXXXXX\",\n \"appid\": \"3686488a-04fc-4d8a-b967-61f98ec41efe\",\n \"scp\": \"user_impersonation\",\n \"appidacr\": \"0\",\n \"xms_az_nwperimid\": [],\n \"upn\": \"john.doe@dummy.onmicrosoft.com\",\n \"ipaddr\": \"147.161.0.0\",\n \"unique_name\": \"john.doe@dummy.onmicrosoft.com\",\n \"amr\": \"pwd\"\n }\n },\n \"properties\": {\n \"id\": \"https://testpermissionvault.vault.azure.net/deletedsecrets/mysecret\",\n \"clientInfo\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0\",\n \"httpStatusCode\": 403,\n \"requestUri\": \"https://testpermissionvault.vault.azure.net/deletedsecrets/mysecret?api-version=7.0\",\n \"isAccessPolicyMatch\": false,\n \"tlsVersion\": \"TLS1_3\"\n },\n \"resourceId\": \"/SUBSCRIPTIONS/F40a1f1d-f2c6-4444-92a6-XXXXXXXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT\",\n \"operationVersion\": \"7.0\",\n \"resultSignature\": \"Forbidden\",\n \"durationMs\": \"17\"\n}", + "event": { + "action": "SecretPurge", + "category": [ + "database" + ], + "dataset": "keyvault", + "outcome": "failure", + "type": [ + "access" + ] + }, + "@timestamp": "2024-04-04T06:45:24.375618Z", + "azure": { + "key_vault": { + "correlation_id": "524974e7-1a6f-4a01-aded-a0b846311986", + "identity": { + "claim": { + "amr": "pwd", + "appid": "3686488a-04fc-4d8a-b967-61f98ec41efe", + "ipaddr": "147.161.0.0", + "oid": "d4ba3e84-0444-4841-aaf7-XXXXXX", + "scp": "user_impersonation", + "unique_name": "john.doe@dummy.onmicrosoft.com" + } + }, + "properties": { + "clientInfo": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "id": "https://testpermissionvault.vault.azure.net/deletedsecrets/mysecret", + "isAccessPolicyMatch": false + }, + "resource_id": "/SUBSCRIPTIONS/F40a1f1d-f2c6-4444-92a6-XXXXXXXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT", + "result": { + "description": "The user, group or application 'appid=3686488a-04fc-4d8a-b967-61f98ec41efe;oid=d4ba3e84-0444-4841-aaf7-XXXXXX;numgroups=2;iss=https://sts.windows.net/d91d59da-80cd-4224-baef-XXXXXXXX/' does not have secrets purge permission on key vault 'testPermissionVault;location=francecentral'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287", + "signature": "Forbidden", + "type": "Success" + } + } + }, + "cloud": { + "provider": "azure", + "service": { + "name": "Azure Key Vault" + } + }, + "http": { + "response": { + "status_code": 403 + } + }, + "related": { + "ip": [ + "147.161.0.0" + ], + "user": [ + "john.doe@dummy.onmicrosoft.com" + ] + }, + "source": { + "address": "147.161.0.0", + "ip": "147.161.0.0" + }, + "tls": { + "version": "TLS1_3" + }, + "url": { + "domain": "testpermissionvault.vault.azure.net", + "original": "https://testpermissionvault.vault.azure.net/deletedsecrets/mysecret?api-version=7.0", + "path": "/deletedsecrets/mysecret", + "port": 443, + "query": "api-version=7.0", + "registered_domain": "azure.net", + "scheme": "https", + "subdomain": "testpermissionvault.vault", + "top_level_domain": "net" + }, + "user": { + "name": "john.doe@dummy.onmicrosoft.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "os": { + "name": "Ubuntu" + }, + "version": "12.0" + } + } + + ``` + + +=== "test_event_secret_purge_1.json" + + ```json + + { + "message": "{\"time\": \"2024-04-04T06:45:40.6759307Z\", \"category\": \"AuditEvent\", \"operationName\": \"SecretPurge\", \"resultType\": \"Success\", \"resultDescription\": \"The user, group or application 'appid=3686488a-04fc-4d8a-b967-XXXXXXX;oid=d4ba3e84-0444-4841-aaf7-XXXXX;numgroups=2;iss=https://sts.windows.net/d91d59da-80cd-4224-baef-10f72c103fc1/' does not have secrets purge permission on key vault 'testPermissionVault;location=francecentral'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287\", \"correlationId\": \"ef7f13ed-3382-4838-990f-5947bd778835\", \"callerIpAddress\": \"147.161.0.0\", \"identity\": {\"claim\": {\"oid\": \"d4ba3e84-0444-4841-aaf7-XXXXX\", \"appid\": \"3686488a-04fc-4d8a-b967-XXXXXXX\", \"scp\": \"user_impersonation\", \"appidacr\": \"0\", \"xms_az_nwperimid\": [], \"upn\": \"john.doe@dummy.onmicrosoft.com\", \"ipaddr\": \"147.161.0.0\", \"unique_name\": \"john.doe@dummy.onmicrosoft.com\", \"amr\": \"pwd\"}}, \"properties\": {\"id\": \"https://testpermissionvault.vault.azure.net/deletedsecrets/mysecret\", \"clientInfo\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0\", \"httpStatusCode\": 403, \"requestUri\": \"https://testpermissionvault.vault.azure.net/deletedsecrets/mysecret?api-version=7.0\", \"isAccessPolicyMatch\": false, \"tlsVersion\": \"TLS1_3\"}, \"resourceId\": \"/SUBSCRIPTIONS/F40A1F1D-F2C6-4444-92A6-XXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT\", \"operationVersion\": \"7.0\", \"resultSignature\": \"Forbidden\", \"durationMs\": \"10\"}", + "event": { + "action": "SecretPurge", + "category": [ + "database" + ], + "dataset": "keyvault", + "outcome": "failure", + "type": [ + "access" + ] + }, + "@timestamp": "2024-04-04T06:45:40.675930Z", + "azure": { + "key_vault": { + "correlation_id": "ef7f13ed-3382-4838-990f-5947bd778835", + "identity": { + "claim": { + "amr": "pwd", + "appid": "3686488a-04fc-4d8a-b967-XXXXXXX", + "ipaddr": "147.161.0.0", + "oid": "d4ba3e84-0444-4841-aaf7-XXXXX", + "scp": "user_impersonation", + "unique_name": "john.doe@dummy.onmicrosoft.com" + } + }, + "properties": { + "clientInfo": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "id": "https://testpermissionvault.vault.azure.net/deletedsecrets/mysecret", + "isAccessPolicyMatch": false + }, + "resource_id": "/SUBSCRIPTIONS/F40A1F1D-F2C6-4444-92A6-XXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT", + "result": { + "description": "The user, group or application 'appid=3686488a-04fc-4d8a-b967-XXXXXXX;oid=d4ba3e84-0444-4841-aaf7-XXXXX;numgroups=2;iss=https://sts.windows.net/d91d59da-80cd-4224-baef-10f72c103fc1/' does not have secrets purge permission on key vault 'testPermissionVault;location=francecentral'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287", + "signature": "Forbidden", + "type": "Success" + } + } + }, + "cloud": { + "provider": "azure", + "service": { + "name": "Azure Key Vault" + } + }, + "http": { + "response": { + "status_code": 403 + } + }, + "related": { + "ip": [ + "147.161.0.0" + ], + "user": [ + "john.doe@dummy.onmicrosoft.com" + ] + }, + "source": { + "address": "147.161.0.0", + "ip": "147.161.0.0" + }, + "tls": { + "version": "TLS1_3" + }, + "url": { + "domain": "testpermissionvault.vault.azure.net", + "original": "https://testpermissionvault.vault.azure.net/deletedsecrets/mysecret?api-version=7.0", + "path": "/deletedsecrets/mysecret", + "port": 443, + "query": "api-version=7.0", + "registered_domain": "azure.net", + "scheme": "https", + "subdomain": "testpermissionvault.vault", + "top_level_domain": "net" + }, + "user": { + "name": "john.doe@dummy.onmicrosoft.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "os": { + "name": "Ubuntu" + }, + "version": "12.0" + } + } + + ``` + + +=== "test_event_secret_restore.json" + + ```json + + { + "message": "{\n \"time\": \"2024-04-04T06:44:17.4857222Z\",\n \"category\": \"AuditEvent\",\n \"operationName\": \"SecretRestore\",\n \"resultType\": \"Success\",\n \"resultDescription\": \"There was a conflict restoring the secret 'https://testpermissionvault.vault.azure.net/secrets/keykey/8fbb0accbfbe4ee4b025649ebabae465'. This can happen if either: a second secret with the same name was created after the first secret was deleted; thus trying to restore a secret whose name is already in use. To fix this, rename the second secret to something else so that the restore works. The second probable cause of this exception is when multiple operations are performed in parallel against the secret. To avoid this error, perform operations against a secret in a sequential manner.\",\n \"correlationId\": \"00f4eafb-43a6-412f-a908-fd20d5aef64c\",\n \"callerIpAddress\": \"147.161.0.0\",\n \"identity\": {\n \"claim\": {\n \"oid\": \"d4ba3e84-0444-4841-aaf7-XXXXXX\",\n \"appid\": \"3686488a-04fc-4d8a-b967-61f98ec41efe\",\n \"scp\": \"user_impersonation\",\n \"appidacr\": \"0\",\n \"xms_az_nwperimid\": [],\n \"upn\": \"john.doe@dummy.onmicrosoft.com\",\n \"ipaddr\": \"147.161.0.0\",\n \"unique_name\": \"john.doe@dummy.onmicrosoft.com\",\n \"amr\": \"pwd\"\n }\n },\n \"properties\": {\n \"id\": \"https://testpermissionvault.vault.azure.net/secrets/keykey\",\n \"clientInfo\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0\",\n \"httpStatusCode\": 409,\n \"requestUri\": \"https://testpermissionvault.vault.azure.net/secrets/restore?api-version=7.0\",\n \"isAccessPolicyMatch\": true,\n \"tlsVersion\": \"TLS1_3\"\n },\n \"resourceId\": \"/SUBSCRIPTIONS/F40a1f1d-f2c6-4444-92a6-XXXXXXXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT\",\n \"operationVersion\": \"7.0\",\n \"resultSignature\": \"Conflict\",\n \"durationMs\": \"63\"\n}", + "event": { + "action": "SecretRestore", + "category": [ + "database" + ], + "dataset": "keyvault", + "outcome": "success", + "type": [ + "access" + ] + }, + "@timestamp": "2024-04-04T06:44:17.485722Z", + "azure": { + "key_vault": { + "correlation_id": "00f4eafb-43a6-412f-a908-fd20d5aef64c", + "identity": { + "claim": { + "amr": "pwd", + "appid": "3686488a-04fc-4d8a-b967-61f98ec41efe", + "ipaddr": "147.161.0.0", + "oid": "d4ba3e84-0444-4841-aaf7-XXXXXX", + "scp": "user_impersonation", + "unique_name": "john.doe@dummy.onmicrosoft.com" + } + }, + "properties": { + "clientInfo": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "id": "https://testpermissionvault.vault.azure.net/secrets/keykey", + "isAccessPolicyMatch": true + }, + "resource_id": "/SUBSCRIPTIONS/F40a1f1d-f2c6-4444-92a6-XXXXXXXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT", + "result": { + "description": "There was a conflict restoring the secret 'https://testpermissionvault.vault.azure.net/secrets/keykey/8fbb0accbfbe4ee4b025649ebabae465'. This can happen if either: a second secret with the same name was created after the first secret was deleted; thus trying to restore a secret whose name is already in use. To fix this, rename the second secret to something else so that the restore works. The second probable cause of this exception is when multiple operations are performed in parallel against the secret. To avoid this error, perform operations against a secret in a sequential manner.", + "signature": "Conflict", + "type": "Success" + } + } + }, + "cloud": { + "provider": "azure", + "service": { + "name": "Azure Key Vault" + } + }, + "http": { + "response": { + "status_code": 409 + } + }, + "related": { + "ip": [ + "147.161.0.0" + ], + "user": [ + "john.doe@dummy.onmicrosoft.com" + ] + }, + "source": { + "address": "147.161.0.0", + "ip": "147.161.0.0" + }, + "tls": { + "version": "TLS1_3" + }, + "url": { + "domain": "testpermissionvault.vault.azure.net", + "original": "https://testpermissionvault.vault.azure.net/secrets/restore?api-version=7.0", + "path": "/secrets/restore", + "port": 443, + "query": "api-version=7.0", + "registered_domain": "azure.net", + "scheme": "https", + "subdomain": "testpermissionvault.vault", + "top_level_domain": "net" + }, + "user": { + "name": "john.doe@dummy.onmicrosoft.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "os": { + "name": "Ubuntu" + }, + "version": "12.0" + } + } + + ``` + + +=== "test_event_secret_update.json" + + ```json + + { + "message": "{\n \"time\": \"2024-04-03T14:09:01.6116910Z\",\n \"category\": \"AuditEvent\",\n \"operationName\": \"SecretUpdate\",\n \"resultType\": \"Success\",\n \"correlationId\": \"0394c72d-e46d-4888-980a-434efc5bca3e\",\n \"callerIpAddress\": \"147.161.0.0\",\n \"identity\": {\n \"claim\": {\n \"oid\": \"d4ba3e84-0444-4841-aaf7-XXXXXXXX\",\n \"appid\": \"3686488a-04fc-4d8a-b967-61f98ec41efe\",\n \"scp\": \"user_impersonation\",\n \"appidacr\": \"0\",\n \"xms_az_nwperimid\": [],\n \"upn\": \"john.doe@dummy.onmicrosoft.com\",\n \"ipaddr\": \"147.161.0.0\",\n \"unique_name\": \"john.doe@dummy.onmicrosoft.com\",\n \"amr\": \"pwd\"\n }\n },\n \"properties\": {\n \"id\": \"https://testpermissionvault.vault.azure.net/secrets/keykey/8fbb0accbfbe4ee4b025649ebabae465\",\n \"clientInfo\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0\",\n \"httpStatusCode\": 200,\n \"requestUri\": \"https://testpermissionvault.vault.azure.net/secrets/keykey/8fbb0accbfbe4ee4b025649ebabae465?api-version=7.0\",\n \"isAccessPolicyMatch\": true,\n \"secretProperties\": {\n \"attributes\": {\n \"enabled\": true,\n \"exp\": 1775199200\n }\n },\n \"tlsVersion\": \"TLS1_3\"\n },\n \"resourceId\": \"/SUBSCRIPTIONS/F40a1f1d-f2c6-4444-92a6-XXXXXXXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT\",\n \"operationVersion\": \"7.0\",\n \"resultSignature\": \"OK\",\n \"durationMs\": \"79\"\n}", + "event": { + "action": "SecretUpdate", + "category": [ + "database" + ], + "dataset": "keyvault", + "outcome": "success", + "type": [ + "access" + ] + }, + "@timestamp": "2024-04-03T14:09:01.611691Z", + "azure": { + "key_vault": { + "correlation_id": "0394c72d-e46d-4888-980a-434efc5bca3e", + "identity": { + "claim": { + "amr": "pwd", + "appid": "3686488a-04fc-4d8a-b967-61f98ec41efe", + "ipaddr": "147.161.0.0", + "oid": "d4ba3e84-0444-4841-aaf7-XXXXXXXX", + "scp": "user_impersonation", + "unique_name": "john.doe@dummy.onmicrosoft.com" + } + }, + "properties": { + "clientInfo": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "id": "https://testpermissionvault.vault.azure.net/secrets/keykey/8fbb0accbfbe4ee4b025649ebabae465", + "isAccessPolicyMatch": true + }, + "resource_id": "/SUBSCRIPTIONS/F40a1f1d-f2c6-4444-92a6-XXXXXXXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT", + "result": { + "signature": "OK", + "type": "Success" + } + } + }, + "cloud": { + "provider": "azure", + "service": { + "name": "Azure Key Vault" + } + }, + "http": { + "response": { + "status_code": 200 + } + }, + "related": { + "ip": [ + "147.161.0.0" + ], + "user": [ + "john.doe@dummy.onmicrosoft.com" + ] + }, + "source": { + "address": "147.161.0.0", + "ip": "147.161.0.0" + }, + "tls": { + "version": "TLS1_3" + }, + "url": { + "domain": "testpermissionvault.vault.azure.net", + "original": "https://testpermissionvault.vault.azure.net/secrets/keykey/8fbb0accbfbe4ee4b025649ebabae465?api-version=7.0", + "path": "/secrets/keykey/8fbb0accbfbe4ee4b025649ebabae465", + "port": 443, + "query": "api-version=7.0", + "registered_domain": "azure.net", + "scheme": "https", + "subdomain": "testpermissionvault.vault", + "top_level_domain": "net" + }, + "user": { + "name": "john.doe@dummy.onmicrosoft.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "os": { + "name": "Ubuntu" + }, + "version": "12.0" + } + } + + ``` + + +=== "test_event_vault_get.json" + + ```json + + { + "message": "{\"time\": \"2024-04-02T08:20:41.7523185Z\", \"category\": \"AuditEvent\", \"operationName\": \"VaultGet\", \"resultType\": \"Success\", \"correlationId\": \"78d31457-b2b7-4da4-a76d-56bac62c1687\", \"callerIpAddress\": \"147.161.0.0\", \"identity\": {\"claim\": {\"http://schemas.microsoft.com/identity/claims/objectidentifier\": \"d4ba3e84-0444-4841-aaf7-XXXXX\", \"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn\": \"john.doe@dummy.onmicrosoft.com\", \"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\": \"john.doe@dummy.onmicrosoft.com\", \"appid\": \"c44b4083-3bb0-49c1-b47d-974e53cXXX\"}}, \"properties\": {\"id\": \"https://keytestint.vault.azure.net/\", \"clientInfo\": \"Mozilla/5.0\", \"requestUri\": \"https://management.azure.com/subscriptions/F40A1F1D-F2C6-4444-XXXX/resourceGroups/Integration/providers/Microsoft.KeyVault/vaults/keyTestInt?api-version=2023-08-01-preview\", \"httpStatusCode\": 200, \"properties\": {\"sku\": {\"Family\": \"A\", \"Name\": \"Standard\", \"Capacity\": null}, \"tenantId\": \"d91d59da-80cd-4224-baef-XXXXXXXX\", \"networkAcls\": null, \"enabledForDeployment\": false, \"enabledForDiskEncryption\": false, \"enabledForTemplateDeployment\": false, \"enableSoftDelete\": true, \"softDeleteRetentionInDays\": 90, \"enableRbacAuthorization\": true, \"enablePurgeProtection\": null}}, \"resourceId\": \"/SUBSCRIPTIONS/F40A1F1D-F2C6-4444-XXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/KEYTESTINT\", \"operationVersion\": \"2023-08-01-preview\", \"resultSignature\": \"OK\", \"durationMs\": \"16\"}", + "event": { + "action": "VaultGet", + "category": [ + "database" + ], + "dataset": "keyvault", + "outcome": "success", + "type": [ + "access" + ] + }, + "@timestamp": "2024-04-02T08:20:41.752318Z", + "azure": { + "key_vault": { + "correlation_id": "78d31457-b2b7-4da4-a76d-56bac62c1687", + "identity": { + "claim": { + "appid": "c44b4083-3bb0-49c1-b47d-974e53cXXX" + } + }, + "properties": { + "clientInfo": "Mozilla/5.0", + "id": "https://keytestint.vault.azure.net/", + "tenantid": "d91d59da-80cd-4224-baef-XXXXXXXX" + }, + "resource_id": "/SUBSCRIPTIONS/F40A1F1D-F2C6-4444-XXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/KEYTESTINT", + "result": { + "signature": "OK", + "type": "Success" + } + } + }, + "cloud": { + "provider": "azure", + "service": { + "name": "Azure Key Vault" + } + }, + "http": { + "response": { + "status_code": 200 + } + }, + "related": { + "ip": [ + "147.161.0.0" + ] + }, + "source": { + "address": "147.161.0.0", + "ip": "147.161.0.0" + }, + "url": { + "domain": "management.azure.com", + "original": "https://management.azure.com/subscriptions/F40A1F1D-F2C6-4444-XXXX/resourceGroups/Integration/providers/Microsoft.KeyVault/vaults/keyTestInt?api-version=2023-08-01-preview", + "path": "/subscriptions/F40A1F1D-F2C6-4444-XXXX/resourceGroups/Integration/providers/Microsoft.KeyVault/vaults/keyTestInt", + "port": 443, + "query": "api-version=2023-08-01-preview", + "registered_domain": "azure.com", + "scheme": "https", + "subdomain": "management", + "top_level_domain": "com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "Mozilla/5.0", + "os": { + "name": "Other" + } + } + } + + ``` + + +=== "test_event_vault_get_1.json" + + ```json + + { + "message": "{ \"time\": \"2024-03-30T22:29:57.2784858Z\", \"category\": \"AuditEvent\", \"operationName\": \"VaultGet\", \"resultType\": \"Success\", \"correlationId\": \"xxxxxxxxxxxxx\", \"callerIpAddress\": \"1.2.3.4\", \"identity\": {\"claim\":{\"http://schemas.microsoft.com/identity/claims/objectidentifier\":\"xxxxxxxxxxxxx\",\"appid\":\"app-id-xxxxxxxxxxxxx\"}}, \"properties\": {\"id\":\"https://keytestint.vault.azure.net/\",\"clientInfo\":\"AzureResourceGraph.IngestionWorkerService.global/1.2.3.4\",\"requestUri\":\"https://brazilsouth.management.azure.com/subscriptions/xxxxxxxx/resourceGroups/Integration/providers/Microsoft.KeyVault/vaults/keyTestInt?api-version=2023-07-01&MaskCMKEnabledProperties=true\",\"httpStatusCode\":200,\"properties\":{\"sku\":{\"Family\":\"A\",\"Name\":\"Standard\",\"Capacity\":null},\"tenantId\":\"xxxxx-xxxx-xxxx-xxxx-xxxxxx\",\"networkAcls\":null,\"enabledForDeployment\":false,\"enabledForDiskEncryption\":false,\"enabledForTemplateDeployment\":false,\"enableSoftDelete\":true,\"softDeleteRetentionInDays\":90,\"enableRbacAuthorization\":true,\"enablePurgeProtection\":null}}, \"resourceId\": \"/SUBSCRIPTIONS/xxxxxx/xxxxx/xxxxxxx/xxxxx/MICROSOFT.KEYVAULT/VAULTS/xxxxxxx\", \"operationVersion\": \"2023-07-01\", \"resultSignature\": \"OK\", \"durationMs\": \"17\"}", + "event": { + "action": "VaultGet", + "category": [ + "database" + ], + "dataset": "keyvault", + "outcome": "success", + "type": [ + "access" + ] + }, + "@timestamp": "2024-03-30T22:29:57.278485Z", + "azure": { + "key_vault": { + "correlation_id": "xxxxxxxxxxxxx", + "identity": { + "claim": { + "appid": "app-id-xxxxxxxxxxxxx" + } + }, + "properties": { + "clientInfo": "AzureResourceGraph.IngestionWorkerService.global/1.2.3.4", + "id": "https://keytestint.vault.azure.net/", + "tenantid": "xxxxx-xxxx-xxxx-xxxx-xxxxxx" + }, + "resource_id": "/SUBSCRIPTIONS/xxxxxx/xxxxx/xxxxxxx/xxxxx/MICROSOFT.KEYVAULT/VAULTS/xxxxxxx", + "result": { + "signature": "OK", + "type": "Success" + } + } + }, + "cloud": { + "provider": "azure", + "service": { + "name": "Azure Key Vault" + } + }, + "http": { + "response": { + "status_code": 200 + } + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "url": { + "domain": "brazilsouth.management.azure.com", + "original": "https://brazilsouth.management.azure.com/subscriptions/xxxxxxxx/resourceGroups/Integration/providers/Microsoft.KeyVault/vaults/keyTestInt?api-version=2023-07-01&MaskCMKEnabledProperties=true", + "path": "/subscriptions/xxxxxxxx/resourceGroups/Integration/providers/Microsoft.KeyVault/vaults/keyTestInt", + "port": 443, + "query": "api-version=2023-07-01&MaskCMKEnabledProperties=true", + "registered_domain": "azure.com", + "scheme": "https", + "subdomain": "brazilsouth.management", + "top_level_domain": "com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "AzureResourceGraph.IngestionWorkerService.global/1.2.3.4", + "os": { + "name": "Other" + } + } + } + + ``` + + +=== "test_event_vault_get_2.json" + + ```json + + { + "message": "{\n \"time\": \"2016-01-05T01:32:01.2691226Z\",\n \"resourceId\": \"/SUBSCRIPTIONS/361DA5D4-A47A-4C79-AFDD-XXXXXXXXXXXX/RESOURCEGROUPS/CONTOSOGROUP/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/CONTOSOKEYVAULT\",\n \"operationName\": \"VaultGet\",\n \"operationVersion\": \"2015-06-01\",\n \"category\": \"AuditEvent\",\n \"resultType\": \"Success\",\n \"resultSignature\": \"OK\",\n \"resultDescription\": \"\",\n \"durationMs\": \"78\",\n \"callerIpAddress\": \"104.40.82.76\",\n \"correlationId\": \"\",\n \"identity\": {\"claim\":{\"http://schemas.microsoft.com/identity/claims/objectidentifier\":\"d9da5048-2737-4770-bd64-XXXXXXXXXXXX\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn\":\"live.com#username@outlook.com\",\"appid\":\"1950a258-227b-4e31-a9cf-XXXXXXXXXXXX\"}},\n \"properties\": {\"clientInfo\":\"azure-resource-manager/2.0\",\"requestUri\":\"https://control-prod-wus.vaultcore.azure.net/subscriptions/361da5d4-a47a-4c79-afdd-XXXXXXXXXXXX/resourcegroups/contosoresourcegroup/providers/Microsoft.KeyVault/vaults/contosokeyvault?api-version=2015-06-01\",\"id\":\"https://contosokeyvault.vault.azure.net/\",\"httpStatusCode\":200}\n }", + "event": { + "action": "VaultGet", + "category": [ + "database" + ], + "dataset": "keyvault", + "outcome": "success", + "type": [ + "access" + ] + }, + "@timestamp": "2016-01-05T01:32:01.269122Z", + "azure": { + "key_vault": { + "identity": { + "claim": { + "appid": "1950a258-227b-4e31-a9cf-XXXXXXXXXXXX" + } + }, + "properties": { + "clientInfo": "azure-resource-manager/2.0", + "id": "https://contosokeyvault.vault.azure.net/" + }, + "resource_id": "/SUBSCRIPTIONS/361DA5D4-A47A-4C79-AFDD-XXXXXXXXXXXX/RESOURCEGROUPS/CONTOSOGROUP/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/CONTOSOKEYVAULT", + "result": { + "signature": "OK", + "type": "Success" + } + } + }, + "cloud": { + "provider": "azure", + "service": { + "name": "Azure Key Vault" + } + }, + "http": { + "response": { + "status_code": 200 + } + }, + "related": { + "ip": [ + "104.40.82.76" + ] + }, + "source": { + "address": "104.40.82.76", + "ip": "104.40.82.76" + }, + "url": { + "domain": "control-prod-wus.vaultcore.azure.net", + "original": "https://control-prod-wus.vaultcore.azure.net/subscriptions/361da5d4-a47a-4c79-afdd-XXXXXXXXXXXX/resourcegroups/contosoresourcegroup/providers/Microsoft.KeyVault/vaults/contosokeyvault?api-version=2015-06-01", + "path": "/subscriptions/361da5d4-a47a-4c79-afdd-XXXXXXXXXXXX/resourcegroups/contosoresourcegroup/providers/Microsoft.KeyVault/vaults/contosokeyvault", + "port": 443, + "query": "api-version=2015-06-01", + "registered_domain": "azure.net", + "scheme": "https", + "subdomain": "control-prod-wus.vaultcore", + "top_level_domain": "net" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "azure-resource-manager/2.0", + "os": { + "name": "Other" + } + } + } + + ``` + + +=== "test_event_vault_get_3.json" + + ```json + + { + "message": "{\n \"time\": \"2016-01-05T01:32:01.2691226Z\",\n \"resourceId\": \"/SUBSCRIPTIONS/361DA5D4-A47A-4C79-AFDD-XXXXXXXXXXXX/RESOURCEGROUPS/CONTOSOGROUP/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/CONTOSOKEYVAULT\",\n \"operationName\": \"VaultGet\",\n \"operationVersion\": \"2015-06-01\",\n \"category\": \"AuditEvent\",\n \"resultType\": \"Success\",\n \"resultSignature\": \"Forbidden\",\n \"resultDescription\": \"\",\n \"durationMs\": \"78\",\n \"callerIpAddress\": \"104.40.82.76\",\n \"correlationId\": \"\",\n \"identity\": {\"claim\":{\"http://schemas.microsoft.com/identity/claims/objectidentifier\":\"d9da5048-2737-4770-bd64-XXXXXXXXXXXX\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn\":\"live.com#username@outlook.com\",\"appid\":\"1950a258-227b-4e31-a9cf-XXXXXXXXXXXX\"}},\n \"properties\": {\"clientInfo\":\"azure-resource-manager/2.0\",\"requestUri\":\"https://control-prod-wus.vaultcore.azure.net/subscriptions/361da5d4-a47a-4c79-afdd-XXXXXXXXXXXX/resourcegroups/contosoresourcegroup/providers/Microsoft.KeyVault/vaults/contosokeyvault?api-version=2015-06-01\",\"id\":\"https://contosokeyvault.vault.azure.net/\",\"httpStatusCode\":200}\n }", + "event": { + "action": "VaultGet", + "category": [ + "database" + ], + "dataset": "keyvault", + "outcome": "failure", + "type": [ + "access" + ] + }, + "@timestamp": "2016-01-05T01:32:01.269122Z", + "azure": { + "key_vault": { + "identity": { + "claim": { + "appid": "1950a258-227b-4e31-a9cf-XXXXXXXXXXXX" + } + }, + "properties": { + "clientInfo": "azure-resource-manager/2.0", + "id": "https://contosokeyvault.vault.azure.net/" + }, + "resource_id": "/SUBSCRIPTIONS/361DA5D4-A47A-4C79-AFDD-XXXXXXXXXXXX/RESOURCEGROUPS/CONTOSOGROUP/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/CONTOSOKEYVAULT", + "result": { + "signature": "Forbidden", + "type": "Success" + } + } + }, + "cloud": { + "provider": "azure", + "service": { + "name": "Azure Key Vault" + } + }, + "http": { + "response": { + "status_code": 200 + } + }, + "related": { + "ip": [ + "104.40.82.76" + ] + }, + "source": { + "address": "104.40.82.76", + "ip": "104.40.82.76" + }, + "url": { + "domain": "control-prod-wus.vaultcore.azure.net", + "original": "https://control-prod-wus.vaultcore.azure.net/subscriptions/361da5d4-a47a-4c79-afdd-XXXXXXXXXXXX/resourcegroups/contosoresourcegroup/providers/Microsoft.KeyVault/vaults/contosokeyvault?api-version=2015-06-01", + "path": "/subscriptions/361da5d4-a47a-4c79-afdd-XXXXXXXXXXXX/resourcegroups/contosoresourcegroup/providers/Microsoft.KeyVault/vaults/contosokeyvault", + "port": 443, + "query": "api-version=2015-06-01", + "registered_domain": "azure.net", + "scheme": "https", + "subdomain": "control-prod-wus.vaultcore", + "top_level_domain": "net" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "azure-resource-manager/2.0", + "os": { + "name": "Other" + } + } + } + + ``` + + +=== "test_event_vault_get_4.json" + + ```json + + { + "message": "{\"time\":\"2024-04-17T13:34:17.9174081Z\",\"category\":\"AuditEvent\",\"operationName\":\"VaultGet\",\"resultType\":\"Success\",\"correlationId\":\"correlationIdValue\",\"callerIpAddress\":\"1.2.3.4\",\"identity\":{\"claim\":{\"http://schemas.microsoft.com/identity/claims/objectidentifier\":\"xxxxxxxxxxxxxxxxxxxxxxxxxxxx\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn\":\"test@test.com\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\":\"test@test.com\",\"appid\":\"appid-xxxxxxxxxxxxxxxxx\"}},\"properties\":{\"id\":\"https://testkey.vault.azure.net/\",\"clientInfo\":\"Mozilla/5.0\",\"requestUri\":\"https://management.azure.com/subscriptions/xxxxxxxxxxxxxxxx/resourceGroups/Integration/providers/Microsoft.KeyVault/vaults/testkey?api-version=2023-08-01-preview\",\"httpStatusCode\":200,\"properties\":{\"sku\":{\"Family\":\"A\",\"Name\":\"Standard\",\"Capacity\":null},\"tenantId\":\"tenantid-xxxxxxxxxxxxxxxxxxxxx\",\"networkAcls\":{\"bypass\":\"AzureServices\",\"defaultAction\":\"Allow\"},\"enabledForDeployment\":false,\"enabledForDiskEncryption\":false,\"enabledForTemplateDeployment\":true,\"enableSoftDelete\":true,\"softDeleteRetentionInDays\":90,\"enableRbacAuthorization\":true,\"enablePurgeProtection\":null}},\"resourceId\":\"/SUBSCRIPTIONS/xxxxxxxxxxxxxxxx/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/testkey\",\"operationVersion\":\"2023-08-01-preview\",\"resultSignature\":\"OK\",\"durationMs\":\"29\"}", + "event": { + "action": "VaultGet", + "category": [ + "database" + ], + "dataset": "keyvault", + "outcome": "success", + "type": [ + "access" + ] + }, + "@timestamp": "2024-04-17T13:34:17.917408Z", + "azure": { + "key_vault": { + "correlation_id": "correlationIdValue", + "identity": { + "claim": { + "appid": "appid-xxxxxxxxxxxxxxxxx" + } + }, + "properties": { + "clientInfo": "Mozilla/5.0", + "id": "https://testkey.vault.azure.net/", + "tenantid": "tenantid-xxxxxxxxxxxxxxxxxxxxx" + }, + "resource_id": "/SUBSCRIPTIONS/xxxxxxxxxxxxxxxx/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/testkey", + "result": { + "signature": "OK", + "type": "Success" + } + } + }, + "cloud": { + "provider": "azure", + "service": { + "name": "Azure Key Vault" + } + }, + "http": { + "response": { + "status_code": 200 + } + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "url": { + "domain": "management.azure.com", + "original": "https://management.azure.com/subscriptions/xxxxxxxxxxxxxxxx/resourceGroups/Integration/providers/Microsoft.KeyVault/vaults/testkey?api-version=2023-08-01-preview", + "path": "/subscriptions/xxxxxxxxxxxxxxxx/resourceGroups/Integration/providers/Microsoft.KeyVault/vaults/testkey", + "port": 443, + "query": "api-version=2023-08-01-preview", + "registered_domain": "azure.com", + "scheme": "https", + "subdomain": "management", + "top_level_domain": "com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "Mozilla/5.0", + "os": { + "name": "Other" + } + } + } + + ``` + + +=== "test_event_vault_patch.json" + + ```json + + { + "message": "{\"time\": \"2024-04-08T15:15:50.6257670Z\", \"category\": \"AuditEvent\", \"operationName\": \"VaultPatch\", \"resultType\": \"Success\", \"correlationId\": \"eb6f7f30-b6ae-4ba6-a6cf-fbe90d4d5121\", \"callerIpAddress\": \"147.161.0.0\", \"identity\": {\"claim\": {\"http://schemas.microsoft.com/identity/claims/objectidentifier\": \"d4ba3e84-0444-4841-aaf7-XXXXXXXXXXXX\", \"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn\": \"john.doe@dummy.onmicrosoft.com\", \"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\": \"john.doe@dummy.onmicrosoft.com\", \"appid\": \"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\"}}, \"properties\": {\"id\": \"https://myright3.vault.azure.net/\", \"clientInfo\": \"Mozilla/5.0\", \"requestUri\": \"https://management.azure.com/subscriptions/f40a1f1d-f2c6-4444-92a6-XXXX/resourceGroups/Integration/providers/Microsoft.KeyVault/vaults/myright3?api-version=2023-08-01-preview\", \"httpStatusCode\": 200, \"properties\": {\"sku\": {\"Family\": \"A\", \"Name\": \"Standard\", \"Capacity\": null}, \"tenantId\": \"d91d59da-80cd-4224-baef-10f72c103fc1\", \"networkAcls\": {\"bypass\": \"AzureServices\", \"defaultAction\": \"Allow\"}, \"enabledForDeployment\": true, \"enabledForDiskEncryption\": false, \"enabledForTemplateDeployment\": false, \"enableSoftDelete\": true, \"softDeleteRetentionInDays\": 90, \"enableRbacAuthorization\": false, \"enablePurgeProtection\": null}}, \"resourceId\": \"/SUBSCRIPTIONS/F40A1F1D-F2C6-4444-92A6-XXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/MYRIGHT3\", \"operationVersion\": \"2023-08-01-preview\", \"resultSignature\": \"OK\", \"durationMs\": \"78\"}", + "event": { + "action": "VaultPatch", + "category": [ + "database" + ], + "dataset": "keyvault", + "outcome": "success", + "type": [ + "access" + ] + }, + "@timestamp": "2024-04-08T15:15:50.625767Z", + "azure": { + "key_vault": { + "correlation_id": "eb6f7f30-b6ae-4ba6-a6cf-fbe90d4d5121", + "identity": { + "claim": { + "appid": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c" + } + }, + "properties": { + "clientInfo": "Mozilla/5.0", + "id": "https://myright3.vault.azure.net/", + "tenantid": "d91d59da-80cd-4224-baef-10f72c103fc1" + }, + "resource_id": "/SUBSCRIPTIONS/F40A1F1D-F2C6-4444-92A6-XXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/MYRIGHT3", + "result": { + "signature": "OK", + "type": "Success" + } + } + }, + "cloud": { + "provider": "azure", + "service": { + "name": "Azure Key Vault" + } + }, + "http": { + "response": { + "status_code": 200 + } + }, + "related": { + "ip": [ + "147.161.0.0" + ] + }, + "source": { + "address": "147.161.0.0", + "ip": "147.161.0.0" + }, + "url": { + "domain": "management.azure.com", + "original": "https://management.azure.com/subscriptions/f40a1f1d-f2c6-4444-92a6-XXXX/resourceGroups/Integration/providers/Microsoft.KeyVault/vaults/myright3?api-version=2023-08-01-preview", + "path": "/subscriptions/f40a1f1d-f2c6-4444-92a6-XXXX/resourceGroups/Integration/providers/Microsoft.KeyVault/vaults/myright3", + "port": 443, + "query": "api-version=2023-08-01-preview", + "registered_domain": "azure.com", + "scheme": "https", + "subdomain": "management", + "top_level_domain": "com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "Mozilla/5.0", + "os": { + "name": "Other" + } + } + } + + ``` + + + + + +## Extracted Fields + +The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed. + +| Name | Type | Description | +| ---- | ---- | ---------------------------| +|`@timestamp` | `date` | Date/time when the event originated. | +|`azure.key_vault.correlation_id` | `keyword` | The correlation id of the key vault operation | +|`azure.key_vault.identity.claim.amr` | `keyword` | The Authentication Method Reference of the identity. The amr claim contains an array of strings representing the authentication methods that were applied and verified during the user's sign-in. These strings represent identifiers for the authentication methods used, such as: +'pwd' for password-based authentication 'mfa' for multi-factor authentication 'otp' for one-time password 'sms' for authentication via SMS etc. | +|`azure.key_vault.identity.claim.appid` | `keyword` | The application id of the identity | +|`azure.key_vault.identity.claim.ipaddr` | `keyword` | The ip address of the identity | +|`azure.key_vault.identity.claim.oid` | `keyword` | The object id of the identity | +|`azure.key_vault.identity.claim.scp` | `keyword` | The scp of the identity | +|`azure.key_vault.identity.claim.unique_name` | `keyword` | The unique name of the identity | +|`azure.key_vault.properties.certificateIssuerProperties.name` | `keyword` | The name of the certificate issuer properties | +|`azure.key_vault.properties.clientInfo` | `keyword` | The client info of the key vault operation | +|`azure.key_vault.properties.id` | `keyword` | The id of the key vault operation | +|`azure.key_vault.properties.isAccessPolicyMatch` | `boolean` | Determines if access policy matches the expectations | +|`azure.key_vault.properties.keyProperties.type` | `keyword` | The type of the key properties | +|`azure.key_vault.properties.secretProperties.type` | `keyword` | The type of the secret properties | +|`azure.key_vault.properties.tenantid` | `keyword` | The tenant id of the key vault operation | +|`azure.key_vault.resource_id` | `keyword` | The resource id of the key vault operation | +|`azure.key_vault.result.description` | `keyword` | The result description of the key vault operation | +|`azure.key_vault.result.signature` | `keyword` | The result signature of the key vault operation | +|`azure.key_vault.result.type` | `keyword` | The result type of the key vault operation | +|`cloud.provider` | `keyword` | Name of the cloud provider. | +|`cloud.service.name` | `keyword` | The cloud service name. | +|`event.action` | `keyword` | The action captured by the event. | +|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | +|`event.dataset` | `keyword` | Name of the dataset. | +|`event.outcome` | `keyword` | The outcome of the event. The lowest level categorization field in the hierarchy. | +|`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | +|`http.response.status_code` | `long` | HTTP response status code. | +|`source.ip` | `ip` | IP address of the source. | +|`tls.version` | `keyword` | Numeric part of the version parsed from the original string. | +|`url.original` | `wildcard` | Unmodified original url as seen in the event source. | +|`user.name` | `keyword` | Short name or login of the user. | +|`user_agent.original` | `keyword` | Unparsed user_agent string. | +