Thursday, August 12, 2021

Azure Defender PoC Series – Azure Defender for Key Vault

 

Introduction

This Azure Defender PoC Series provides guidelines on how to perform a proof of concept for a specific Azure Defender plan. For a more holistic approach where you need to validate Azure Security Center and Azure Defender, please read How to Effectively Perform an Azure Security Center PoC article.

Azure Key Vault is used to store and access secrets, such as API keys, passwords, certificates, or cryptographic keys. Having critical data makes it a priority to maximize the threat protection of the vaults that can be provided with the security intelligence of Azure Defender for Key Vault.

 

Planning

As part of your Azure Defender for Key Vault PoC you need to identify the use case scenarios that you want to validate. Some common scenarios include access from an IP that was identified by Microsoft Threat Intelligence as suspicious, a user/service principal performing anomalous changes in policies or a high volume of operations – tailored to each tenant – within the Key Vault. You can use the Alerts identified by Azure Defender for Key Vault as your starting point to plan which actions you want to execute.

Enabling this bundle at the subscription level will not affect the performance of your Azure Key Vaults since there are no agents and it is performed in Azure’s backend.

 

Preparation

You need at least Security Admin role to enable Azure Defender for Key Vault. For more information about roles and privileges, visit this article.

From the readiness perspective, make sure to review the following resources to better understand Azure Defender for Key Vault:

 

Implementation and validation

You can use the sample alert feature to validate Azure Defender for Key Vault alerts, or you can simulate Azure Defender for Key Vault alerts by following the instructions in Validating Azure Key Vault threat detection in Azure Security Center.

Understanding the alerts for Key Vault can help you identify suspicious activities and eliminate noise if necessary. Read this article for more information on how to respond to Key Vault alerts.

 

Conclusion

By the end of this PoC you should be able to determine the value of this solution and the importance to have this level of threat detection to your workloads.

 

 

Reviewers

Walner Dort - Program Manager, Azure Security Machine Learning

@Yuri Diogenes  - Principal Program Manager, Azure Security Center CxE

Posted at https://sl.advdat.com/2VTMmp0