Detection: Key Vault Deleted

Overview

Detect when an Azure Key Vault instance was deleted. Key Vaults are critical for securely storing secrets, certificates, and encryption keys, and their deletion can result in data loss and disrupt applications relying on those secrets. Monitoring these events ensures the availability and security of sensitive resources.

References:

Usage

Run the detection in your terminal:

powerpipe detection run azure_activity_log_detections.detection.key_vault_deleted

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe detection run azure_activity_log_detections.detection.key_vault_deleted --share

SQL

This detection uses a named query:

select
  tp_timestamp as timestamp,
operation_name as operation,
resource_id as resource,
caller as actor,
tp_index::varchar as subscription_id,
resource_group_name as resource_group,
tp_id as source_id,
status as event_status,
*

from
  azure_activity_log
where
  operation_name = 'Microsoft.KeyVault/vaults/delete'
  and status = 'Succeeded'

order by
  timestamp desc;

Detection: Key Vault Deleted

Overview

Usage

SQL

Tags