Get Azure Key Vault Data into Splunk

This post explores integrating Azure Key Vault diagnostic logs with Splunk for enhanced security visibility. The implementation streams diagnostic data through Event Hubs to a Splunk instance using a dedicated Splunk application.

Azure Resource Architecture

The solution requires four primary Azure components:

• Blob storage account for data persistence
• Event Hub namespace and Event Hub instance
• Azure Key Vault configured for diagnostic logging
• Splunk instance for log analysis

Implementation Steps

Storage Setup: Create a blob storage account and container to serve as the capture destination.

Event Hub Configuration: Establish an Event Hub namespace and instance, enabling capture functionality and linking it to the storage container.

Key Vault Integration: Configure the Key Vault to stream both AuditEvents and AllMetrics to the newly created Event Hub by selecting the appropriate subscription, namespace, and policy.

Splunk Configuration: Install the Azure Event Hub input app and configure it with:

• Target index for data ingestion
• Storage account credentials
• Container name reference

Data Insights

Once operational, the system captures:

• API performance metrics including latency measurements
• Audit trail of operations performed on vault resources
• Client IP addresses and application identifiers
• Correlation IDs for cross-referencing with other Azure events

Notes

This is one approach among many Azure logging options. I mention PowerZure as a tool for generating test data. Recommendations include maintaining resources within the same Azure region and verifying storage account network settings.