Azure Key Vault ASIM Parser: New Audit Event Normalization for Critical Key Management Monitoring

What Changed

Two new ASIM parsers (ASimAuditEventAzureKeyVault and vimAuditEventAzureKeyVault) were added to normalize audit events from Azure Key Vault, supporting both legacy AzureDiagnostics and the newer AZKVAuditLogs tables.

Parser Impact

The parsers normalize audit events from both AzureDiagnostics (legacy) and AZKVAuditLogs (resource-specific) tables into the ASIM AuditEvent schema. This provides a unified view of Azure Key Vault operations including:

• Vault operations: VaultGet, VaultPut, VaultDelete, VaultPatch, VaultList
• Secret management: SecretGet, SecretSet, SecretDelete, SecretList, SecretPurge, SecretBackup, SecretRestore, SecretRecover
• Key operations: KeyGet, KeyCreate, KeyDelete, KeyList, KeyUpdate, KeyPurge, KeyBackup, KeyRestore, KeyRecover, plus cryptographic operations (KeySign, KeyVerify, KeyWrap, KeyUnwrap, KeyEncrypt, KeyDecrypt)
• Certificate management: CertificateGet, CertificateCreate, CertificateDelete, CertificateList, CertificateUpdate, CertificatePurge, CertificateRecover, CertificateImport

The parser maps each operation to standardized ASIM event types (Read, Set, Delete, Create, Execute, Other) and extracts actor information from Azure AD claims, enabling detection engineers to write source-agnostic queries for key management monitoring.

Detection Surface Unlocked

This parser enables standardized monitoring of high-value Azure Key Vault activities critical for detecting:

• Unauthorized secret/key access attempts
• Bulk key/secret enumeration indicating reconnaissance
• Cryptographic operations that may indicate lateral movement
• Certificate manipulation for persistence
• Policy changes affecting vault security

Detection engineers can now use ASIM AuditEvent queries to monitor Key Vault activities alongside other audit sources without writing service-specific KQL.

Affected Files

.script/tests/KqlvalidationsTests/CustomTables/AZKVAuditLogs.json
.script/tests/KqlvalidationsTests/CustomTables/AzureDiagnostics.json
ASIM/dev/ASimTester/ASimTester.csv
Parsers/ASimAuditEvent/ARM/ASimAuditEvent/ASimAuditEvent.json
Parsers/ASimAuditEvent/ARM/ASimAuditEventAzureKeyVault/ASimAuditEventAzureKeyVault.json
Parsers/ASimAuditEvent/ARM/ASimAuditEventAzureKeyVault/README.md
Parsers/ASimAuditEvent/ARM/FullDeploymentAuditEvent.json
Parsers/ASimAuditEvent/ARM/imAuditEvent/imAuditEvent.json
Parsers/ASimAuditEvent/ARM/vimAuditEventAzureKeyVault/README.md
Parsers/ASimAuditEvent/ARM/vimAuditEventAzureKeyVault/vimAuditEventAzureKeyVault.json
Parsers/ASimAuditEvent/CHANGELOG/ASimAuditEvent.md
Parsers/ASimAuditEvent/CHANGELOG/AsimAuditEventAzureKeyVault.md
Parsers/ASimAuditEvent/CHANGELOG/imAuditEvent.md
Parsers/ASimAuditEvent/CHANGELOG/vimAuditEventAzureKeyVault.md
Parsers/ASimAuditEvent/Parsers/ASimAuditEvent.yaml
Parsers/ASimAuditEvent/Parsers/ASimAuditEventAzureKeyVault.yaml
Parsers/ASimAuditEvent/Parsers/imAuditEvent.yaml
Parsers/ASimAuditEvent/Parsers/vimAuditEventAzureKeyVault.yaml