An ingestion label identifies the parser which normalizes raw log data to structured
UDM format. The information in this document applies to the parser with theAZURE_KEYVAULT_AUDIingestion label.
Before you begin
Ensure that you have the following prerequisites:
Azure subscription that you can sign in to
Azure Key Vault environment (tenant) in Azure
Global administrator or Azure Key Vault administrator role
Azure storage account to store the logs
Configure a storage account
Sign in to theAzureportal.
In theAzureconsole, search forStorage accounts.
Select the storage account that the logs must be pulled from, and then selectAccess key. To create a new storage account, do the following:
ClickCreate.
Enter a name for the new storage account.
Select the subscription, resource group, region, performance, and redundancy for the account. We recommend setting the performance tostandard, and the redundancy toGRSorLRS.
ClickReview + create.
Review the overview of the account and clickCreate.
ClickShow keysand make a note of the shared key for the storage account.
SelectEndpointsand make a note of theBlob serviceendpoint.
For more information about creating a storage account, see theCreate an Azure storage accountsection in theMicrosoft documentation.
Configure Azure Key Vault logging
In theAzureportal, go toKey vaultsand select the key vault that you want to configure for logging.
In theMonitoringsection, selectDiagnostic settings.
SelectAdd diagnostic setting. TheDiagnostics settingswindow provides the settings for the diagnostic logs.
In theDiagnostic setting namefield, specify the name for diagnostic setting.
In theCategory groupssection, select theauditcheckbox.
In theRetention (days)field, specify a log retention value that complies with your organization's policies.
Google SecOps recommends a minimum of one day of log retention.
You can store the Azure Key Vault logging logs in a storage account or stream the logs to Event Hubs. Google SecOps supports log collection using a storage account.
Archive to a storage account
To store logs in storage account, in theDiagnostics settingswindow, select theArchive to a storage accountcheckbox.
In theSubscriptionlist, select the existing subscription.
In theStorage accountlist, select the existing storage account.
Set up feeds
There are two different entry points to set up feeds in the
Google SecOps platform:
SIEM Settings>Feeds>Add New
Content Hub>Content Packs>Get Started
How to set up the Azure key vault logging feed
Click theAzure Platformpack.
Locate theAzure Key Vault logginglog type and clickAdd new feed.
Specify values for the following fields:
Source Type:Microsoft Azure Blob Storage V2.
Azure URI: specify theBlob serviceendpoint that you obtained previously along with one of the container names of that storage account. For example,https://xyz.blob.core.windows.net/abc/.
Source deletion option: specify the source deletion option.
Maximum File Age: Includes files modified in the last number of days.
Default is 180 days.
Key: specify the shared key that you obtained previously.
Advanced options
Feed Name: A prepopulated value that identifies the feed.
Asset Namespace: Namespace associated with the feed.
Ingestion Labels: Labels applied to all events from this feed.
ClickCreate feed.
For more information about configuring multiple feeds for different log types within this product family, seeConfigure feeds by product.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Collect Microsoft Azure Key Vault logging logs\n==============================================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\nThis document describes how you can collect the Azure Key Vault logging logs by setting up a Google Security Operations feed.\n\nFor more information, see [Data ingestion to Google SecOps](/chronicle/docs/data-ingestion-flow).\n\nAn ingestion label identifies the parser which normalizes raw log data to structured\nUDM format. The information in this document applies to the parser with the\n`AZURE_KEYVAULT_AUDI` ingestion label.\n\nBefore you begin\n----------------\n\nEnsure that you have the following prerequisites:\n\n- Azure subscription that you can sign in to\n- Azure Key Vault environment (tenant) in Azure\n- Global administrator or Azure Key Vault administrator role\n- Azure storage account to store the logs\n\nConfigure a storage account\n---------------------------\n\n1. Sign in to the **Azure** portal.\n2. In the **Azure** console, search for **Storage accounts**.\n3. Select the storage account that the logs must be pulled from, and then select **Access key**. To create a new storage account, do the following:\n\n 1. Click **Create.**\n 2. Enter a name for the new storage account.\n 3. Select the subscription, resource group, region, performance, and redundancy for the account. We recommend setting the performance to *standard* , and the redundancy to *GRS* or *LRS*.\n\n 4. Click **Review + create**.\n\n 5. Review the overview of the account and click **Create.**\n\n4. Click **Show keys** and make a note of the shared key for the storage account.\n\n5. Select **Endpoints** and make a note of the **Blob service** endpoint.\n\n For more information about creating a storage account, see the **Create an Azure storage account** section in the [Microsoft documentation](http://learn.microsoft.com/).\n\nConfigure Azure Key Vault logging\n---------------------------------\n\n1. In the **Azure** portal, go to **Key vaults** and select the key vault that you want to configure for logging.\n2. In the **Monitoring** section, select **Diagnostic settings**.\n3. Select **Add diagnostic setting** . The **Diagnostics settings** window provides the settings for the diagnostic logs.\n4. In the **Diagnostic setting name** field, specify the name for diagnostic setting.\n5. In the **Category groups** section, select the **audit** checkbox.\n6. In the **Retention (days)** field, specify a log retention value that complies with your organization's policies.\n Google SecOps recommends a minimum of one day of log retention.\n\n You can store the Azure Key Vault logging logs in a storage account or stream the logs to Event Hubs. Google SecOps supports log collection using a storage account.\n\n### Archive to a storage account\n\n1. To store logs in storage account, in the **Diagnostics settings** window, select the **Archive to a storage account** checkbox.\n2. In the **Subscription** list, select the existing subscription.\n3. In the **Storage account** list, select the existing storage account.\n\nSet up feeds\n------------\n\nThere are two different entry points to set up feeds in the\nGoogle SecOps platform:\n\n- **SIEM Settings \\\u003e Feeds \\\u003e Add New**\n- **Content Hub \\\u003e Content Packs \\\u003e Get Started**\n\nHow to set up the Azure key vault logging feed\n----------------------------------------------\n\n1. Click the **Azure Platform** pack.\n2. Locate the **Azure Key Vault logging** log type and click **Add new feed**.\n3. Specify values for the following fields:\n\n - **Source Type** : **Microsoft Azure Blob Storage V2**.\n - **Azure URI** : specify the **Blob service** endpoint that you obtained previously along with one of the container names of that storage account. For example, `https://xyz.blob.core.windows.net/abc/`.\n - **Source deletion option**: specify the source deletion option.\n - **Maximum File Age**: Includes files modified in the last number of days. Default is 180 days.\n - **Key**: specify the shared key that you obtained previously.\n\n **Advanced options**\n - **Feed Name**: A prepopulated value that identifies the feed.\n - **Asset Namespace**: Namespace associated with the feed.\n - **Ingestion Labels**: Labels applied to all events from this feed.\n4. Click **Create feed**.\n\n| **Note:** The Content Hub is not available on the SIEM standalone platform. To upgrade, contact your Google SecOps representative.\n\nFor more information about configuring multiple feeds for different log types within this product family, see [Configure feeds by product](/chronicle/docs/ingestion/ingestion-entities/configure-multiple-feeds).\n\nFor more information about Google SecOps feeds, see [Google SecOps feeds documentation](/chronicle/docs/administration/feed-management).\n\nFor information about requirements for each feed type, see [Feed configuration by type](/chronicle/docs/reference/feed-management-api#feed_configuration_by_type).\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
