You can monitor how and when your key vaults are accessed, and by whom. by enabling logging for Azure Key Vault. This saves information in an Azure storage account that you provide.
What is logged:
- All authenticated REST API requests, including failed requests as a result of access permissions, system errors, or bad requests.
- Operations on the key vault itself, including creation, deletion, setting key vault access policies, and updating key vault attributes such as tags.
- Operations on keys and secrets in the key vault, including:
- Creating, modifying, or deleting these keys or secrets.
- Signing, verifying, encrypting, decrypting, wrapping and unwrapping keys, getting secrets, and listing keys and secrets (and their versions).
- Unauthenticated requests that result in a 401 response. Examples are requests that don't have a bearer token, that are malformed or expired, or that have an invalid token.
- Azure Event Grid notification events for the following conditions: expired, near expiration, and changed vault access policy (the new version event isn't logged). Events are logged even if there's an event subscription created on the key vault. For more information, see Azure Key Vault as Event Grid source.
...
Description:
With Azure diagnostic logs, you can view core analytics and save them into one or more destinations including:
- Azure Storage account
- Log Analytics workspace
- Azure Event Hubs
A wide variety of services found below support the use of diagnostic logs in order to further troubleshoot, audit, and keep records of all ongoing activity. It's important to enable this to ensure that, if something were to happen, the information is available for the particular service.
Solution/Reference:
Full instructions to perform this for a variety of services can be found here:
Azure Stream Analytics: https://docs.microsoft.com/en-us/azure/stream-analytics/stream-analytics-job-diagnostic-logs
Key Vault: https://docs.microsoft.com/en-us/azure/key-vault/general/howto-logging & https://docs.microsoft.com/en-us/azure/key-vault/general/logging?tabs=Vault
Batch Accounts: https://docs.microsoft.com/en-us/azure/batch/batch-diagnostics
Event Hub: https://docs.microsoft.com/en-us/azure/event-hubs/monitor-event-hubs-reference#resource-logs
Service Bus: https://docs.microsoft.com/en-us/azure/service-bus-messaging/monitor-service-bus-reference#resource-logs
Virtual Machine Scale Sets: https://medium.com/microsoftazure/adding-diagnostic-extensions-to-an-existing-azure-vm-scale-set-a5a5f6320b2c