AZKVAuditLogs
Audit logs can be used to monitor how and when your key vaults are accessed, and by whom. Customers will be able to log all authentication api requests. Operations on the key vault itself, including creation, deletion, setting key vault access policies, and updating key vault attributes such as tags.Operation on keys and secrets in keyvault including creating, deleting, signing.
Table attributes
| Attribute | Value |
|---|---|
| Resource types | microsoft.keyvault/vaults |
| Categories | Azure Resources, Audit |
| Solutions | LogManagement |
| Basic log | Yes |
| Ingestion-time transformation | No |
| Sample Queries | Yes |
Columns
| Column | Type | Description |
|---|---|---|
| AddressAuthorizationType | string | Address type (Public IP, subnet, private connection) |
| Algorithm | string | Algorithm used to generate the key |
| AppliedAssignmentId | string | AssignmentId that eiher granted or denied access as part of access check |
| _BilledSize | real | The record size in bytes |
| CallerIpAddress | string | IP address of the client that made the request |
| CertificateIssuerProperties | dynamic | Information about certificate issuer properties including provider, id |
| CertificatePolicyProperties | dynamic | Information about certificate policy properties including keyproperties, secretproperties, issuerproperties |
| CertificateProperties | dynamic | Information about certificate audit properties including atttributes, subject, hashing algorithm |
| CertificateRequestProperties | dynamic | Boolean value indicating if certificate request operation was cancelled |
| ClientInfo | string | User agent information |
| CorrelationId | string | An optional GUID that the client can pass to correlate client-side logs with service-side (Key Vault) logs. |
| DurationMs | int | Time it took to service the REST API request, in milliseconds. This does not include the network latency, so the time you measure on the client side might not match this time |
| EnabledForDeployment | bool | Specifies if the vault is enabled for deployment |
| EnabledForDiskEncryption | bool | Specifes if disk encryption is enabled |
| EnabledForTemplateDeployment | bool | Specifies whether template deployment is enabled |
| EnablePurgeProtection | bool | Specifies if purge protection is enabled |
| EnableRbacAuthorization | bool | Specifies if RBAC authorization is enabled |
| EnableSoftDelete | bool | Specified is the vault is enabled for soft delete |
| HsmPoolResourceId | string | Resource ID of the HSM pool |
| HttpStatusCode | int | HTTP status code of the request |
| Id | string | Resourceidentifier (Key ID or secret ID) |
| Identity | dynamic | Identity from the token that was presented in the REST API request. This is usually a user, a service principal, or the combination user+appId, as in the case of a request that results from an Azure PowerShell cmdlet. |
| IsAccessPolicyMatch | bool | True if the tenant matches vault tenant, and if the policy explicitly gives permission to the principal attempting the access. |
| IsAddressAuthorized | bool | Specifies whether request came from an authorized entity |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account |
| IsRbacAuthorized | bool | Specifies whether an access was granted or not as part of an access check |
| KeyProperties | dynamic | Information about key properties including type, size, curve |
| NetworkAcls | dynamic | Information about network acls that govern access to the vault |
| Nsp | dynamic | Network security perimeter properties including access control list, nsp id's associated with profiles. |
| OperationName | string | Name of the operation |
| OperationVersion | string | REST api version requested by the client. |
| Properties | dynamic | Information that varies based on the operation (Operationname). In most cases, this field contains client information (the user agent string passed by the client), the exact REST API request URI, and the HTTP status code. In addition, when an object is returned as a result of a request (for example, KeyCreate or VaultGet), it also contains the key URI (as id), vault URI, or secret URI. |
| RequestUri | string | URI of the request |
| _ResourceId | string | A unique identifier for the resource that the record is associated with |
| ResultDescription | string | Additional description about the result, when available. |
| ResultSignature | string | HTTP status of the request/response |
| ResultType | string | Result of the REST API request. |
| SecretProperties | dynamic | Information about secret properties including type, atttributes |
| Sku | dynamic | Information about vault including family, name and capacity |
| SoftDeleteRetentionInDays | int | Specifies soft delete retention in days |
| SourceSystem | string | The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics |
| StorageAccountProperties | dynamic | Information about storage account properties including activekeyname, resourceid |
| StorageSasDefinitionProperties | dynamic | Information about storage sas definition properties including sastype, validityperiod |
| SubnetId | string | Id of subnet if request comes from a known subnet |
| _SubscriptionId | string | A unique identifier for the subscription that the record is associated with |
| TenantId | string | The Log Analytics workspace ID |
| TimeGenerated | datetime | Timestamp (in UTC) when operation occured. |
| Tlsversion | string | Network crypto protocol |
| TrustedService | string | Specifies whether the principal access the service is a trusted Service. If this field is null, principal is not a trusted service |
| Type | string | The name of the table |
| VaultProperties | dynamic | Detailed vault properties containing accesspolicy, iprule, virtualnetwork etc |
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for