Skip to content

Microsoft.OperationalInsights/workspaces/delete

Azure

Microsoft.OperationalInsights/workspaces/delete

service: Azure - Log Analytics
techniques:

Event

Permanently deletes a Log Analytics workspace and its stored data.

Security Context

  • Deleting or modifying audit logs destroys forensic evidence and prevents security teams from reconstructing the attack timeline.
  • Destructive deletion of cloud resources can cause significant operational disruption, data loss, and extended recovery times.

Log Source

Azure Activity Log

Sample Event

Adversarial. draco@fantasticlogs.cloud permanently deletes the security Log Analytics workspace law-fantasticlogs-security (which is the destination workspace used by Microsoft Sentinel for the tenant) using force=true, bypassing the 14-day soft-delete recovery. This is a maximum-impact defense-impairment + impact event: it destroys ingested logs and makes Sentinel detections inoperative.

{
"authorization": {
"action": "Microsoft.OperationalInsights/workspaces/delete",
"scope": "/subscriptions/20000000-0000-4000-8000-000000000010/resourceGroups/rg-security/providers/Microsoft.OperationalInsights/workspaces/law-fantasticlogs-security"
},
"caller": "draco@fantasticlogs.cloud",
"channels": "Operation",
"claims": {
"appid": "04b07795-8ddb-461a-bbee-02f9e1bf7b46",
"ipaddr": "203.0.113.66",
"name": "Draco Malfoy",
"http://schemas.microsoft.com/identity/claims/objectidentifier": "30000000-0000-4000-8000-001010011010",
"puid": "1003200000000666",
"http://schemas.microsoft.com/identity/claims/tenantid": "10000000-0000-4000-8000-000000000001",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "draco@fantasticlogs.cloud",
"http://schemas.microsoft.com/identity/claims/wids": "e8611ab8-c189-46e8-94e1-60213ab1f814",
"uti": "lawDel210ExampleUtid01",
"ver": "1.0"
},
"correlationId": "90000000-0000-4000-8000-000100011011",
"description": "",
"eventDataId": "90000000-0000-4000-8000-000100011100",
"eventName": {
"value": "EndRequest",
"localizedValue": "End request"
},
"category": {
"value": "Administrative",
"localizedValue": "Administrative"
},
"eventTimestamp": "2026-04-15T18:42:08.7218304Z",
"id": "/subscriptions/20000000-0000-4000-8000-000000000010/resourceGroups/rg-security/providers/Microsoft.OperationalInsights/workspaces/law-fantasticlogs-security/events/90000000-0000-4000-8000-000100011100/ticks/638798259287218304",
"level": "Informational",
"operationId": "90000000-0000-4000-8000-000100011101",
"operationName": {
"value": "Microsoft.OperationalInsights/workspaces/delete",
"localizedValue": "Delete Log Analytics Workspace"
},
"resourceGroupName": "rg-security",
"resourceProviderName": {
"value": "Microsoft.OperationalInsights",
"localizedValue": "Microsoft.OperationalInsights"
},
"resourceType": {
"value": "Microsoft.OperationalInsights/workspaces",
"localizedValue": "Microsoft.OperationalInsights/workspaces"
},
"resourceId": "/subscriptions/20000000-0000-4000-8000-000000000010/resourceGroups/rg-security/providers/Microsoft.OperationalInsights/workspaces/law-fantasticlogs-security",
"status": {
"value": "Succeeded",
"localizedValue": "Succeeded"
},
"subStatus": {
"value": "OK",
"localizedValue": "OK (HTTP Status Code: 200)"
},
"submissionTimestamp": "2026-04-15T18:42:09.4001882Z",
"subscriptionId": "20000000-0000-4000-8000-000000000010",
"tenantId": "10000000-0000-4000-8000-000000000001",
"properties": {
"statusCode": "OK",
"serviceRequestId": null,
"eventCategory": "Administrative",
"entity": "/subscriptions/20000000-0000-4000-8000-000000000010/resourceGroups/rg-security/providers/Microsoft.OperationalInsights/workspaces/law-fantasticlogs-security?force=true",
"message": "Microsoft.OperationalInsights/workspaces/delete",
"hierarchy": "10000000-0000-4000-8000-000000000001/20000000-0000-4000-8000-000000000010"
},
"relatedEvents": []
}

MITRE ATT&CK Mapping

Tactics: Defense Impairment Impact

Techniques:
  • T1685.002 — Disable or Modify Cloud Log — An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within t...
  • T1485 — Data Destruction — Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and r...