icon-deception.svg
Deception

Creating a Key Vault Decoy in Azure

A key vault is a service in Microsoft Azure that allows you to securely store and retrieve secrets such as passwords, API keys, cryptographic keys, etc. You can create a key vault decoy that includes enticing credential files with URLs to the Threat Intelligence (TI) decoys containing random user names and passwords. These decoys act as cloud lures.

Prerequisites

Before creating an Azure decoy, you must ensure that you have:

Creating a Key Vault Decoy in Azure

To create a key vault decoy in Azure:

  1. Go to Deceive > Cloud Deception > Azure > Key Vault.

  2. Click Add Decoy.

    The Key Vault Decoy window appears.

  3. In the Key Vault Decoy window:

    • Name: Enter a name for the key vault decoy.
    • Description: Enter a description relevant to the key vault decoy.

  4. Click Save.
  5. Sign in to the Azure Portal as a Cloud Device Administrator or Global Administrator.

  6. Launch Cloud Shell by clicking the Cloud Shell icon on the top navigation bar.

    The Cloud Shell window appears.

  7. In the Cloud Shell window:

    1. Set your shell environment to PowerShell.
    2. Run the deployment script using the command obtained via the automated download method or manual download method.
    3. Enter the option to deploy key vault decoys and press Enter.

    If you want to add multiple key vault decoys to Microsoft Azure, repeat Step 1 to Step 4 for each decoy and then run the script to sync all decoys simultaneously.

Upon successful execution of the script, the key vault decoy is added to Microsoft Azure. The key vault decoy is part of the Decoys Resource Group configured by Deception during the integration. The deployment status is indicated by the icon next to the name of the decoy in the key vault decoys table (Deceive > Cloud Deception > Azure > Key Vault) within the Zscaler Deception Admin Portal. To learn how to configure lures using key vault decoys, see Configuring Lures Using Azure Decoys.

Related Articles
About Cloud Deception with AzureSetting Up Cloud Deception with Microsoft AzureUnderstanding the Functions of the Azure Deployment ScriptObtaining the Deployment Script for AzureCreating a User Decoy in AzureCreating a Service Principal Decoy in AzureCreating a Managed Identity Decoy in AzureCreating an App Service Decoy in AzureCreating a Storage Account Container Decoy in AzureCreating a Storage Account File Share Decoy in AzureCreating a Key Vault Decoy in AzureCreating an ARM Template Decoy in AzureCreating a Container Registry Decoy in AzureCreating a VM Image Decoy in AzureConfiguring Lures Using Azure DecoysManaging Azure DecoysDeleting Azure Deception Settings