Microsoft.OperationalInsights/workspaces/sharedKeys/action
Azure
Microsoft.OperationalInsights/workspaces/sharedKeys/action
Event
Retrieves the primary and secondary access keys for a Log Analytics workspace.
Security Context
- Enumerating cloud resources helps adversaries map the environment to identify high-value targets, security controls, and potential pivot points.
- Accessing stored credentials or secrets can provide adversaries with keys to additional systems, enabling lateral movement and privilege escalation.
Log Source
Azure Activity Log
Sample Event
Adversarial. draco@fantasticlogs.cloud calls getSharedKeys against the production Log Analytics workspace law-fantasticlogs-prod, retrieving the primary and secondary shared keys. With these and the workspace’s customerId, Draco can use the Data Collector API to write arbitrary telemetry into the workspace (log poisoning) or impersonate legitimate agents.
{ "authorization": { "action": "Microsoft.OperationalInsights/workspaces/sharedKeys/action", "scope": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.OperationalInsights/workspaces/law-fantasticlogs-prod" }, "caller": "draco@fantasticlogs.cloud", "channels": "Operation", "claims": { "appid": "04b07795-8ddb-461a-bbee-02f9e1bf7b46", "ipaddr": "203.0.113.66", "name": "Draco Malfoy", "http://schemas.microsoft.com/identity/claims/objectidentifier": "30000000-0000-4000-8000-001010011010", "puid": "1003200000000666", "http://schemas.microsoft.com/identity/claims/tenantid": "10000000-0000-4000-8000-000000000001", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "draco@fantasticlogs.cloud", "http://schemas.microsoft.com/identity/claims/wids": "e8611ab8-c189-46e8-94e1-60213ab1f814", "uti": "lawSk211ExampleUtid01", "ver": "1.0" }, "correlationId": "90000000-0000-4000-8000-000100011110", "description": "", "eventDataId": "90000000-0000-4000-8000-000100011111", "eventName": { "value": "EndRequest", "localizedValue": "End request" }, "category": { "value": "Administrative", "localizedValue": "Administrative" }, "eventTimestamp": "2026-04-15T18:08:21.5128194Z", "id": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.OperationalInsights/workspaces/law-fantasticlogs-prod/events/90000000-0000-4000-8000-000100011111/ticks/638798238015128194", "level": "Informational", "operationId": "90000000-0000-4000-8000-000100100000", "operationName": { "value": "Microsoft.OperationalInsights/workspaces/sharedKeys/action", "localizedValue": "List Workspace Shared Keys" }, "resourceGroupName": "rg-fantasticlogs-prod", "resourceProviderName": { "value": "Microsoft.OperationalInsights", "localizedValue": "Microsoft.OperationalInsights" }, "resourceType": { "value": "Microsoft.OperationalInsights/workspaces", "localizedValue": "Microsoft.OperationalInsights/workspaces" }, "resourceId": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.OperationalInsights/workspaces/law-fantasticlogs-prod", "status": { "value": "Succeeded", "localizedValue": "Succeeded" }, "subStatus": { "value": "OK", "localizedValue": "OK (HTTP Status Code: 200)" }, "submissionTimestamp": "2026-04-15T18:08:22.0801724Z", "subscriptionId": "20000000-0000-4000-8000-000000000001", "tenantId": "10000000-0000-4000-8000-000000000001", "properties": { "statusCode": "OK", "serviceRequestId": null, "eventCategory": "Administrative", "entity": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.OperationalInsights/workspaces/law-fantasticlogs-prod/sharedKeys", "message": "Microsoft.OperationalInsights/workspaces/sharedKeys/action", "hierarchy": "10000000-0000-4000-8000-000000000001/20000000-0000-4000-8000-000000000001" }, "relatedEvents": []}MITRE ATT&CK Mapping
Tactics: Credential Access Discovery
Techniques:
- T1552 — Unsecured Credentials — Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. [Shell History](https://attack.mitre.org/techniques/T1552/003)), operating system or applica...
- T1526 — Cloud Service Discovery — An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can...