Introduction
This Microsoft Defender for Cloud PoC Series provides guidelines on how to perform a proof of concept for a specific Microsoft Defender plan. For a more holistic approach where you need to validate Microsoft Defender for Cloud, please read How to Effectively Perform a Microsoft Defender for Cloud PoC article.
Azure Key Vault is used to store and access secrets, such as API keys, passwords, certificates, or cryptographic keys. Having critical data makes it a priority to maximize the threat protection of the vaults that can be provided with the security intelligence of Microsoft Defender for Key Vault.
Planning
As part of your Microsoft Defender for Key Vault PoC you need to identify the use case scenarios that you want to validate. Some common scenarios include access from an IP that was identified by Microsoft Threat Intelligence as suspicious, a user/service principal performing anomalous changes in policies or a high volume of operations – tailored to each tenant – within the Key Vault. You can use the Alerts identified by Microsoft Defender for Key Vault as your starting point to plan which actions you want to execute.
Enabling this bundle at the subscription level will not affect the performance of your Azure Key Vaults since there are no agents and it is performed in Azure’s backend.
Preparation
You need at least Security Admin role to enable Microsoft Defender for Key Vault. For more information about roles and privileges, visit this article.
From the readiness perspective, make sure to review the following resources to better understand Azure Defender for Key Vault:
Implementation and validation
You can use the sample alert feature to validate Microsoft Defender for Key Vault alerts, or you can simulate Microsoft Defender for Key Vault alerts by following the instructions in Validating Azure Key Vault threat detection in Microsoft Defender for Cloud.
Understanding the alerts for Key Vault can help you identify suspicious activities and eliminate noise if necessary. Read this article for more information on how to respond to Key Vault alerts.
Conclusion
By the end of this PoC you should be able to determine the value of this solution and the importance to have this level of threat detection to your workloads.
P.S. Subscribe to our Microsoft Defender for Cloud Newsletter to stay up to date on helpful tips and new releases and join our Tech Community where you can be one of the first to hear the latest Microsoft Defender for Cloud news, announcements and get your questions answered by experts.
Reviewers
Walner Dort - Program Manager, Azure Security Machine Learning
@Yuri Diogenes - Principal PM Manager, Microsoft Defender for Cloud CxE
