There was a great question today in a private community channel asking about monitoring and alerting when a storage account encryption is configured to use key in Key Vault in stead of Microsoft managed key.
This question just drove me to do a bit of analysis on out-of-the-box service (without customization). The idea flashed in my mind was Log Analytic query alert based. This article is to share two queries which would help to monitoring and alerting.
Ensure Log Analytics workspace is available and Azure Activity is configured to send log to the workspace.
An event is recorded in Azure Activity most of the time you update something in storage account. When checking the event body I noticed a responseBody from Properties field contains Microsoft.Keyvault as a source. Therefore the query would look like as follows:
AzureActivity | where ResourceId contains "providers/microsoft.storage/storageaccounts" | where OperationNameValue == "Microsoft.Storage/storageAccounts/write" | where ActivityStatus == "Succeeded" | extend a = tostring(parse_json(Properties).responseBody) | where parse_json(a).properties.encryption.keySource == "Microsoft.Keyvault"
Another approach would be to look at Key Vault diagnostic log. This approach requires diagnostic setting to be configured on the Key Vault which storage account uses.
AzureDiagnostics | where identity_claim_xms_mirid_s contains "providers/Microsoft.Storage/storageAccounts/" | where ResourceProvider == 'MICROSOFT.KEYVAULT' | where OperationName == "KeyUnwrap"
When configuring Key Vault as an encryption tool for storage account, the storage account managed identity is automatically added to the Key Vault’s access policy. The operation name is KeyUnwrap.
The two queries above are not really good but they look like a good start for you to construct more advanced query. Another approach would be to send log to Event Hub namespace and have a listener to monitor the change. The signature pattern would be similar to my approach.