Skip to content

Latest commit

 

History

History
178 lines (107 loc) · 5.09 KB

README.md

File metadata and controls

178 lines (107 loc) · 5.09 KB

gablogo

Goal

Configuring Key Vault Analytics solution and creating KeyVault alerts.

Installing the solution

  1. Go to the ResourceGroup gab2018-dev, select the KeyVault gab2018-dev-kv.

  2. In the menu, select Log analytics (OMS).

step4_001

  1. Select + Add and type Key Vault Analytics in the search box.

  2. In the results select Key Vault Analytics.

step4_002

  1. Select Create

step4_003

  1. Select the OMS workspace named gab2018-dev-oms-all

step4_004

  1. To deploy the solution, select Create

step4_005

  1. The Key Vault Analytics solution should now be available in the ResourceGroup gab2018-dev.

step4_006

Enabling Key Vault diagnostics to be sent to Log Analytics

  1. Go to the ResourceGroup gab2018-dev, select the KeyVault gab2018-dev-kv.

  2. In the menu, select Diagnostics logs.

step4_007

  1. Select + Add diagnostic setting.

step4_008

  1. In the Name textbox type Log Analytics.

  2. Select Send to Log Analytics.

  3. Select Configure and choose the OMS workspace named gab2018-dev-oms-all

  4. In Log, check the checkbox AuditEvent

  5. Select Save

step4_009

Access the KeyVault Secrets

  1. Go to the ResourceGroup gab2018-dev, select the KeyVault gab2018-dev-kv.

  2. In the menu, select Secrets.

step4_010

  1. Select a secret in the list, select the current version and select the Show secret value.

step4_011

The goal here is to create access logs to the KeyVault, so we will be able to use it later. It should take up to 15-20 minutes to be able to use those logs.

Creating an alert with Log Analytics for when KeyVault secrets are accessed

  1. Go to the ResourceGroup gab2018-dev, select the Key Vault Analytics resource KeyVaultAnalytics(gab2018-dev-oms-all).

  2. In the overview summary, select the Key Vault Analytics.

step4_012

  1. In ALL OPERATIONS, select the SecretGet operation.

step4_013

  1. Select + New Alert Rule

step4_014

  1. In 1.Define alert condition select Alert Criteria

step4_015

  1. In the Alert Logic, set the Threshold value to 1 and select Done

step4_016

  1. In 2.Define alert details, enter the following values:
  • Alert rule name: KeyVault Secret Accessed
  • Description: Triggered when Key Vault secrets are accessed more than two times in 5 minutes.
  • Severity: Informational(Sev 2)

step4_017

  1. In 3.Define action group, select + New action group.

Enter the following values:

  • Action group name: Email Alert group
  • Short name: EmailGroup.
  1. In the actions, create an action with the following values:
  • Action name: SendEmail
  • Action Type: Email/SMS/Push/Voice

  1. Select Edit details, enter your Email and select OK.

  2. Finalize the creation of the by selecting OK

step4_018

  1. Wait for the action group to be created, and select Select action group.

  2. Choose the created action group in the list and select Add.

  3. Now select Create alert rule to finalize the creation of the alert and wait for it to be created.

step4_019

  1. Go to the ResourceGroup gab2018-dev, select the Log Analytics resource gab2018-dev-oms-all.

  2. Select Alerts and ensure the alert was properly created.

step4_020

Test and receive an alert

  1. Go to the ResourceGroup gab2018-dev, select the KeyVault gab2018-dev-kv.

  2. Then in the menu, select Secrets.

step4_010

  1. Select the first secret in the list and select the current version.

  2. Go back to the list, select the second secret and select the current version.

step4_021

It should take up a few minutes to receive the KeyVault secrets accessed alert.

Reference

End

Previous Step Next Step