Queries for the AZKVAuditLogs table

For information on using these queries in the Azure portal, see Log Analytics tutorial. For the REST API, see Query.

Are there any failures?

Count of failed keyvault requests by status code.

AZKVAuditLogs
| where HttpStatusCode >= 300 and not(OperationName == "Authentication" and HttpStatusCode == 401)
| summarize count() by RequestUri, ResultSignature, _ResourceId

Are there any slow requests?

List of keyvault requests taking longer than 1 second.

let threshold=1000;
AZKVAuditLogs
| where DurationMs > threshold
| summarize count() by OperationName, _ResourceId

How active has this KeyVault been?

Line chart showing trend of KeyVault requests volume, per operation over time.

AZKVAuditLogs
| summarize count() by bin(TimeGenerated, 1h), OperationName // Aggregate by hour
| render timechart

How fast is this KeyVault serving requests?

Line chart showing trend of request duration over time using different aggregations.

AZKVAuditLogs
| summarize avg(DurationMs) by RequestUri, bin(TimeGenerated, 1h) // requestUri_s contains the URI of the request
| render timechart

What changes occurred last month?

Lists all update and patch requests from the last 30 days.

AZKVAuditLogs
| where TimeGenerated > ago(30d)
| where OperationName == "VaultPut" or OperationName == "VaultPatch"
| sort by TimeGenerated desc

Who is calling this KeyVault?

List of callers identified by their IP address with their request count.

AZKVAuditLogs
| summarize count() by CallerIpAddress