What severity level should be applied to alerts regarding unusual access to a key vault in Microsoft Defender for Cloud?

In the context of Microsoft Defender for Cloud, alerts regarding unusual access to a key vault should be treated with a severity level of medium. This severity level indicates that while the situation may not pose an immediate threat or risk, it does require attention because it represents an anomaly that could potentially lead to more serious security concerns.

Key vaults typically contain sensitive information, such as cryptographic keys, secrets, and certificates. Unusual access patterns—such as access from anomalous locations or at atypical times—could signal a potential compromise or misuse of the credentials associated with the key vault. Therefore, monitoring and investigating these alerts is crucial to maintaining security posture.

Assigning a medium severity level reflects a balanced approach to threat prioritization, allowing security teams to focus on the issue without potentially being overwhelmed by alerts that are not urgent but are still important to investigate. This level encourages proactive review and response to mitigate any latent security risks associated with the key vault access anomaly.