Azure Key Vault who did what auditing

Question

I have setup log analytics for Azure Key vault and can find the user IPs through this query.

AzureDiagnostics
| summarize count() by CallerIPAddress

But how can I find the activities done by a user(with a username), including the secrets/keys viewed?

score 1 · Answer 1 · answered Mar 30 '21 at 04:33

1

You can pass the correct Operation Name and get the results

search * 
| where Category=="AuditEvent"  and OperationName == "SecretGet"
| order by TimeGenerated desc

answered Mar 30 '21 at 04:33

Sajeetharan

It should be there – Sajeetharan Mar 31 '21 at 05:25
may I know the field name? – Blue Clouds Mar 31 '21 at 05:28
seems you cannot, it has only IP address, instead try using Powershell – Sajeetharan Mar 31 '21 at 06:19
how to do using powershell? – Blue Clouds Mar 31 '21 at 08:59
check if this helps https://stackoverflow.com/questions/59525218/how-to-audit-secret-key-access-in-key-vault – Sajeetharan Mar 31 '21 at 11:16
There is an 'idenitity' field which has the user email id, and in log analytics query, we cannot get it. IS that the difference? – Blue Clouds Mar 31 '21 at 14:42

1 Answers1