Skip to content
TheCloud.Events

Microsoft.OperationalInsights/workspaces/sharedKeys/action

CSP: Azure
Tactics:
Credential Access Discovery
Techniques:
T1552T1526
Tags:
Azure Log Analytics

Event

Retrieves the primary and secondary access keys for a Log Analytics workspace.

Security Context

  • Enumerating cloud resources helps adversaries map the environment to identify high-value targets, security controls, and potential pivot points.
  • Accessing stored credentials or secrets can provide adversaries with keys to additional systems, enabling lateral movement and privilege escalation.

Log Source

Azure Activity Log

Sample Event

MITRE ATT&CK Mapping

Tactics: Credential Access Discovery

Techniques:
  • T1552 — Unsecured Credentials — Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g.
  • T1526 — Cloud Service Discovery — An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS).