Key Vault Secret Access Anomaly Alert
Using Key Vault diagnostic logs in Log Analytics, the flow checks on a schedule for unusual secret-access patterns - new principals, spikes, off-hours, denied attempts - logs findings to Dataverse, and alerts security in Teams with context. Detects credential misuse against Key Vault.
Provided as-is, without warranty of any kind. Review and test each pattern in a non-production environment before deploying it to live automations. See our Terms.
Overview
This flow detects credential misuse against Azure Key Vault. On a schedule it queries Key Vault diagnostic logs (AuditEvent telemetry shipped to a Log Analytics workspace) for unusual secret-access patterns - access spikes, denied attempts, off-hours access, and access by principals outside an approved baseline. Each flagged event is logged to a Dataverse table and a contextual alert is posted to a security Teams channel.
Why it matters: abnormal vault access can signal a compromised identity or leaked credential. Detecting it within the hour limits blast radius and gives security an auditable trail to investigate.
Ships Off (demo). The Log Analytics query uses the built-in HTTP action with AAD OAuth (no Log Analytics connection required).
Use Case
A security / IT-admin team wants automated alerting on anomalous Key Vault secret access without standing up a full SIEM rule. This flow runs hourly, evaluates the last hour of diagnostics, and pushes only the anomalous events to a Teams channel plus a Dataverse log for later review.
Flow Architecture
Every Hour
RecurrenceDetection cadence (hourly).
Initialize Trace & Config
Initialize variableMints a correlation id and binds the workspace, vault, spike threshold, off-hours window, lookback, baseline principals, tenant/app credentials, and Teams ids.
List Vault Secrets
Key Vault - ListSecretsConnector enrichment - vault inventory / reachability.
Query Access Logs
HTTP - Log Analytics queryRuns a KQL query of Key Vault AuditEvent diagnostics over the lookback window (AAD OAuth).
Parse & Shape Events
Parse JSON + SelectMaps the positional result rows into named access-event objects.
For Each Access Event
Apply to eachFlags an event as anomalous on OR of four rules (spike, new principal, denied, off-hours), classifies the anomaly type, logs it to Dataverse, and posts a security alert to Teams.
Environment Variables
| Schema name | Type | Default | Description |
|---|---|---|---|
| flowlibs_LogAnalyticsWorkspaceId | String | <your-workspace-id> | Workspace holding Key Vault diagnostics. |
| flowlibs_KeyVaultName | String | flowlibs-vault.vault.azure.net | Monitored vault DNS name. |
| flowlibs_AnomalyAccessThreshold | String | 25 | Spike threshold per caller. |
| flowlibs_OffHoursStartHour | String | 22 | UTC hour off-hours begins. |
| flowlibs_OffHoursEndHour | String | 6 | UTC hour off-hours ends. |
| flowlibs_LookbackHours | String | 1 | Hours of logs inspected per run. |
| flowlibs_BaselinePrincipals | String | ["00000000-0000-0000-0000-000000000000"] | JSON list of approved caller identities. |
| flowlibs_TenantId | String | <your-tenant-id> | Entra tenant for the HTTP OAuth call. |
| flowlibs_AzureClientId | String | <your-client-id> | App registration with Log Analytics Reader. |
| flowlibs_AzureClientSecret |
Connectors & Connections
| Connector | API name | Actions used |
|---|---|---|
| Azure Key Vault | shared_keyvault | ListSecrets |
| HTTP | shared_http | POST api.loganalytics.io/query |
| Microsoft Dataverse | shared_commondataserviceforapps | CreateRecord |
| Microsoft Teams | shared_teams | PostMessageToConversation |
Note — All connections are referenced as solution connection references; the flow is portable between environments as long as a connection is mapped at import time.
Customization Guide
Almost every realistic variant of this flow can be implemented by changing environment variable values. A few cases require small edits inside the flow definition — those are called out explicitly below.
- Cadence
- Change the hourly recurrence (e.g. every 15 min) and set flowlibs_LookbackHours to match.
- Sensitivity
- Lower flowlibs_AnomalyAccessThreshold to catch smaller spikes; expand flowlibs_BaselinePrincipals to reduce new-principal noise.
- Off-hours window
- Adjust the off-hours start/end (UTC) to match your business hours.
- Sentinel incident
- Add an ARM/HTTP action after the Teams post to open a Microsoft Sentinel incident for escalation.
- Auto-remediation
- Chain a Key Vault access-policy update or principal disable behind an Approval for high-severity anomalies.
Key Expressions
The flow is intentionally light on Power Fx / WDL gymnastics — the heaviest expressions are the branch-name concatenation and the approval outcome check. They are listed below in the order they appear in the flow.
EXPR.01Anomaly OR rule
Any one condition flags the event.
EXPR.02Off-hours flag (KQL)
Computed in the Log Analytics query.
EXPR.03Query timespan
ISO-8601 duration for the query window.
EXPR.04Correlation id
Stamped on each anomaly row and alert.
Comments
Sign in to join the conversation.
Sign inNo comments yet. Be the first to share your experience with this flow.