Skip to content

AZT704.1 - Soft-Delete Recovery: Key Vault#

An adversary may recover a key vault object found in a 'soft deletion' state.

Resource

Azure Key Vault

Actions

  • Microsoft.KeyVault/vaults/*/restore

  • Microsoft.KeyVault/locations/deletedVaults/read

Examples

portal

Detections

Logs#

Data Source Operation Name Action Log Provider
Resource SecretRecover Microsoft.KeyVault/vaults/*/restore AzureDiagnostics

Queries#

Platform Query
Log Analytics AzureDiagnostics | where OperationName == 'SecretRecover' or OperationName == 'KeyRecover' or OperationName == 'CertificateRecover'

Azure Monitor Alert#

Deploy to Azure

Additional Resources