Microsoft.KeyVault/vaults — Azure resource type

Diagnostic categories

PII

Routes to: AzureDiagnostics
Per-category table: AZKVAuditLogs

KQL starter

// Starter query for category AuditEvent
AZKVAuditLogs
| where TimeGenerated > ago(1h)
| project TimeGenerated, OperationName, ResultType, ResultDescription, ResultSignature
| take 100

Cost to export

Routes to: AzureDiagnostics
Per-category table: AZKVPolicyEvaluationDetailsLogs

KQL starter

// Starter query for category AzurePolicyEvaluationDetails
AZKVPolicyEvaluationDetailsLogs
| where TimeGenerated > ago(1h)
| project TimeGenerated, OperationName, ResultType, ResultDescription, ResultSignature
| take 100

Destination tables

Audit logs can be used to monitor how and when your key vaults are accessed, and by whom. Customers will be able to log all authentication api requests. Operations on the key vault itself, including creation, deletion, setting key vault access policies, and updating key vault attributes such as tags.Operation on keys and secrets in keyvault including creating, deleting, signing.

51 columns

Column	Type	Description
AddressAuthorizationType	string	Address type (Public IP, subnet, private connection)
Algorithm	string	Algorithm used to generate the key
AppliedAssignmentId	string	AssignmentId that eiher granted or denied access as part of access check
_BilledSize	real	The record size in bytes
CallerIpAddress PII	string	IP address of the client that made the request
CertificateIssuerProperties	dynamic	Information about certificate issuer properties including provider, id
CertificatePolicyProperties	dynamic	Information about certificate policy properties including keyproperties, secretproperties, issuerproperties
CertificateProperties	dynamic	Information about certificate audit properties including atttributes, subject, hashing algorithm
CertificateRequestProperties	dynamic	Boolean value indicating if certificate request operation was cancelled
ClientInfo PII	string	User agent information
CorrelationId	string	An optional GUID that the client can pass to correlate client-side logs with service-side (Key Vault) logs.
DurationMs	int	Time it took to service the REST API request, in milliseconds. This does not include the network latency, so the time you measure on the client side might not match this time
EnabledForDeployment	bool	Specifies if the vault is enabled for deployment
EnabledForDiskEncryption	bool	Specifes if disk encryption is enabled
EnabledForTemplateDeployment	bool	Specifies whether template deployment is enabled
EnablePurgeProtection	bool	Specifies if purge protection is enabled
EnableRbacAuthorization	bool	Specifies if RBAC authorization is enabled
EnableSoftDelete	bool	Specified is the vault is enabled for soft delete
HsmPoolResourceId	string	Resource ID of the HSM pool
HttpStatusCode	int	HTTP status code of the request
Id	string	Resourceidentifier (Key ID or secret ID)
Identity PII	dynamic	Identity from the token that was presented in the REST API request. This is usually a user, a service principal, or the combination user+appId, as in the case of a request that results from an Azure PowerShell cmdlet.
IsAccessPolicyMatch	bool	True if the tenant matches vault tenant, and if the policy explicitly gives permission to the principal attempting the access.
IsAddressAuthorized	bool	Specifies whether request came from an authorized entity
_IsBillable	string	Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account
IsRbacAuthorized	bool	Specifies whether an access was granted or not as part of an access check
KeyProperties	dynamic	Information about key properties including type, size, curve
NetworkAcls	dynamic	Information about network acls that govern access to the vault
Nsp	dynamic	Network security perimeter properties including access control list, nsp id's associated with profiles.
OperationName	string	Name of the operation
OperationVersion	string	REST api version requested by the client.
Properties PII	dynamic	Information that varies based on the operation (Operationname). In most cases, this field contains client information (the user agent string passed by the client), the exact REST API request URI, and the HTTP status code. In addition, when an object is returned as a result of a request (for example, KeyCreate or VaultGet), it also contains the key URI (as id), vault URI, or secret URI.
RequestUri	string	URI of the request
_ResourceId	string	A unique identifier for the resource that the record is associated with
ResultDescription	string	Additional description about the result, when available.
ResultSignature	string	HTTP status of the request/response
ResultType	string	Result of the REST API request.
SecretProperties	dynamic	Information about secret properties including type, atttributes
Sku	dynamic	Information about vault including family, name and capacity
SoftDeleteRetentionInDays	int	Specifies soft delete retention in days
SourceSystem	string	The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics
StorageAccountProperties	dynamic	Information about storage account properties including activekeyname, resourceid
StorageSasDefinitionProperties	dynamic	Information about storage sas definition properties including sastype, validityperiod
SubnetId	string	Id of subnet if request comes from a known subnet
_SubscriptionId	string	A unique identifier for the subscription that the record is associated with
TenantId	string	The Log Analytics workspace ID
TimeGenerated	datetime	Timestamp (in UTC) when operation occured.
Tlsversion	string	Network crypto protocol
TrustedService	string	Specifies whether the principal access the service is a trusted Service. If this field is null, principal is not a trusted service
Type	string	The name of the table
VaultProperties	dynamic	Detailed vault properties containing accesspolicy, iprule, virtualnetwork etc

Contains details of Azure Policy Evaluation including the outcome and details of what checks were performed.

18 columns

Column	Type	Description
_BilledSize	real	The record size in bytes
DurationMs	int	Time it took to service the REST API request, in milliseconds. This does not include the network latency, so the time you measure on the client side might not match this time
EvaluationDetails	dynamic	Details of evaluation
_IsBillable	string	Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account
IsComplianceCheck	bool	Is Compliance check enabled
ObjectName	string	Name of the object
ObjectType	string	Type of object
OperationName	string	Name of the operation
Properties PII	dynamic	Information that varies based on the operation (operationName). In most cases, this field contains client information (the user agent string passed by the client), the exact REST API request URI, and the HTTP status code. In addition, when an object is returned as a result of a request (for example, KeyCreate or VaultGet), it also contains the key URI (as id), vault URI, or secret URI
_ResourceId	string	A unique identifier for the resource that the record is associated with
ResultDescription	string	Additional description about the result, when available
ResultSignature	string	HTTP status of the request/response
ResultType	string	Result of the REST API request
SourceSystem	string	The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics
_SubscriptionId	string	A unique identifier for the subscription that the record is associated with
TenantId	string	The Log Analytics workspace ID
TimeGenerated	datetime	Timestamp (in UTC) when operation occured.
Type	string	The name of the table

Stores resource logs for Azure services that use Azure Diagnostics mode. Resource logs describe the internal operation of Azure resources.

174 columns

Column	Type	Description
action_id_s	String
action_name_s	String
action_s	String
ActivityId_g	Guid
AdditionalFields
AdHocOrScheduledJob_s	String
application_name_s	String
audit_schema_version_d	Double
avg_cpu_percent_s	String
avg_mean_time_s	String
backendHostname_s	String
Caller_s	String
callerId_s	String
CallerIPAddress PII	String
calls_s	String
Category	String
client_ip_s	String
clientInfo_s	String
clientIP_s	String
clientIp_s	String
clientIpAddress_s PII	String
clientPort_d	Double
code_s	String
collectionName_s	String
conditions_destinationIP_s	String
conditions_destinationPortRange_s	String
conditions_None_s	String
conditions_protocols_s	String
conditions_sourceIP_s	String
conditions_sourcePortRange_s	String
CorrelationId	String
count_executions_d	Double
cpu_time_d	Double
database_name_s	String
database_principal_name_s	String
DatabaseName_s	String
db_id_s	String
direction_s	String
dop_d	Double
duration_d	Double
duration_milliseconds_d	Double
DurationMs	BigInt
ElasticPoolName_s	String
endTime_t	DateTime
Environment_s	String
error_code_s	String
error_message_s	String
errorLevel_s	String
event_class_s	String
event_s	String
event_subclass_s	String
event_time_t	DateTime
EventName_s	String
execution_type_d	Double
executionInfo_endTime_t	DateTime
executionInfo_exitCode_d	Double
executionInfo_startTime_t	DateTime
host_s	String
httpMethod_s	String
httpStatus_d	Double
httpStatusCode_d	Double
httpStatusCode_s	String
httpVersion_s	String
id_s	String
identity_claim_appid_g	Guid
identity_claim_ipaddr_s	String
instanceId_s	String
interval_end_time_d	Double
interval_start_time_d	Double
ip_s	String
is_column_permission_s	String
isAccessPolicyMatch_b	Bool
JobDurationInSecs_s	String
JobFailureCode_s	String
JobId_g	Guid
jobId_s	String
JobOperation_s	String
JobOperationSubType_s	String
JobStartDateTime_s	String
JobStatus_s	String
JobUniqueId_g	Guid
Level	String
log_bytes_used_d	Double
logical_io_reads_d	Double
logical_io_writes_d	Double
LogicalServerName_s	String
macAddress_s	String
matchedConnections_d	Double
max_cpu_time_d	Double
max_dop_d	Double
max_duration_d	Double
max_log_bytes_used_d	Double
max_logical_io_reads_d	Double
max_logical_io_writes_d	Double
max_num_physical_io_reads_d	Double
max_physical_io_reads_d	Double
max_query_max_used_memory_d	Double
max_rowcount_d	Double
max_time_s	String
mean_time_s	String
Message	String
min_time_s	String
msg_s	String
num_physical_io_reads_d	Double
object_id_d	Double
object_name_s	String
OperationName	String
OperationVersion	String
partitionKey_s	String
physical_io_reads_d	Double
plan_id_d	Double
policy_s	String
policyMode_s	String
primaryIPv4Address_s	String
priority_d	Double
properties_enabledForDeployment_b	Bool
properties_enabledForDiskEncryption_b	Bool
properties_enabledForTemplateDeployment_b	Bool
properties_s	String
properties_sku_Family_s	String
properties_sku_Name_s	String
properties_tenantId_g	Guid
query_hash_s	String
query_id_d	Double
query_max_used_memory_d	Double
query_plan_hash_s	String
query_time_d	Double
querytext_s	String
receivedBytes_d	Double
Region_s	String
requestCharge_s	String
requestQuery_s	String
requestResourceId_s	String
requestResourceType_s	String
requestUri_s	String
reserved_storage_mb_s	String
Resource	String
resource_actionName_s	String
resource_location_s	String
resource_originRunId_s	String
resource_resourceGroupName_s	String
resource_runId_s	String
resource_subscriptionId_g	Guid
resource_triggerName_s	String
resource_workflowId_g	Guid
resource_workflowName_s	String
ResourceGroup	String
_ResourceId	String	A unique identifier for the resource that the record is associated with
ResourceProvider	String
ResourceProvider	String
ResourceType	String
ResourceType	String
response_rows_d	Double
resultCode_s	String
ResultDescription	String
ResultDescription	String
resultDescription_ChildJobs_s	String
resultDescription_ErrorJobs_s	String
resultMessage_s	String
ResultSignature	String
ResultType	String
ResultType	String
rootCauseAnalysis_s	String
routingRuleName_s	String
rowcount_d	Double
ruleName_s	String
RunbookName_s	String
RunOn_s	String
schema_name_s	String
sentBytes_d	Double
sequence_group_id_g	Guid
sequence_number_d	Double
server_principal_sid_s	String
session_id_d	Double