| Capability ID | Capability Description | Category | Value | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|---|
| azure_defender_for_key_vault | Azure Defender for Key Vault | detect | minimal | T1580 | Cloud Infrastructure Discovery |
Comments
This control may alert on suspicious access of key vaults, including suspicious listing of key vault contents. This control does not alert on discovery of other cloud services, such as VMs, snapshots, cloud storage and therefore has minimal coverage. Suspicious activity based on patterns of access from certain users and applications allows for managing false positive rates.
References
|
| azure_defender_for_key_vault | Azure Defender for Key Vault | detect | partial | T1555 | Credentials from Password Stores |
Comments
This control may detect suspicious secret access from Azure key vaults. This does not apply to any sub-techniques under T1555 - Credentials from Password Stores but Azure Key Vault can be treated as a store for passwords, keys, and certificates. The coverage of this control could be deemed high for cloud credential and secret storage within Key Vault but is not applicable to traditional password stores, such as password managers, keychain, or web browsers.
References
|
| Capability ID | Capability Name | Number of Mappings |
|---|---|---|
| azure_defender_for_key_vault | Azure Defender for Key Vault | 2 |