Skip to content

Microsoft.OperationalInsights/workspaces/sharedKeys/action

Azure

Microsoft.OperationalInsights/workspaces/sharedKeys/action

service: Azure - Log Analytics
techniques:

Event

Retrieves the primary and secondary access keys for a Log Analytics workspace.

Security Context

  • Enumerating cloud resources helps adversaries map the environment to identify high-value targets, security controls, and potential pivot points.
  • Accessing stored credentials or secrets can provide adversaries with keys to additional systems, enabling lateral movement and privilege escalation.

Log Source

Azure Activity Log

Sample Event

Adversarial. draco@fantasticlogs.cloud calls getSharedKeys against the production Log Analytics workspace law-fantasticlogs-prod, retrieving the primary and secondary shared keys. With these and the workspace’s customerId, Draco can use the Data Collector API to write arbitrary telemetry into the workspace (log poisoning) or impersonate legitimate agents.

{
"authorization": {
"action": "Microsoft.OperationalInsights/workspaces/sharedKeys/action",
"scope": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.OperationalInsights/workspaces/law-fantasticlogs-prod"
},
"caller": "draco@fantasticlogs.cloud",
"channels": "Operation",
"claims": {
"appid": "04b07795-8ddb-461a-bbee-02f9e1bf7b46",
"ipaddr": "203.0.113.66",
"name": "Draco Malfoy",
"http://schemas.microsoft.com/identity/claims/objectidentifier": "30000000-0000-4000-8000-001010011010",
"puid": "1003200000000666",
"http://schemas.microsoft.com/identity/claims/tenantid": "10000000-0000-4000-8000-000000000001",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "draco@fantasticlogs.cloud",
"http://schemas.microsoft.com/identity/claims/wids": "e8611ab8-c189-46e8-94e1-60213ab1f814",
"uti": "lawSk211ExampleUtid01",
"ver": "1.0"
},
"correlationId": "90000000-0000-4000-8000-000100011110",
"description": "",
"eventDataId": "90000000-0000-4000-8000-000100011111",
"eventName": {
"value": "EndRequest",
"localizedValue": "End request"
},
"category": {
"value": "Administrative",
"localizedValue": "Administrative"
},
"eventTimestamp": "2026-04-15T18:08:21.5128194Z",
"id": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.OperationalInsights/workspaces/law-fantasticlogs-prod/events/90000000-0000-4000-8000-000100011111/ticks/638798238015128194",
"level": "Informational",
"operationId": "90000000-0000-4000-8000-000100100000",
"operationName": {
"value": "Microsoft.OperationalInsights/workspaces/sharedKeys/action",
"localizedValue": "List Workspace Shared Keys"
},
"resourceGroupName": "rg-fantasticlogs-prod",
"resourceProviderName": {
"value": "Microsoft.OperationalInsights",
"localizedValue": "Microsoft.OperationalInsights"
},
"resourceType": {
"value": "Microsoft.OperationalInsights/workspaces",
"localizedValue": "Microsoft.OperationalInsights/workspaces"
},
"resourceId": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.OperationalInsights/workspaces/law-fantasticlogs-prod",
"status": {
"value": "Succeeded",
"localizedValue": "Succeeded"
},
"subStatus": {
"value": "OK",
"localizedValue": "OK (HTTP Status Code: 200)"
},
"submissionTimestamp": "2026-04-15T18:08:22.0801724Z",
"subscriptionId": "20000000-0000-4000-8000-000000000001",
"tenantId": "10000000-0000-4000-8000-000000000001",
"properties": {
"statusCode": "OK",
"serviceRequestId": null,
"eventCategory": "Administrative",
"entity": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.OperationalInsights/workspaces/law-fantasticlogs-prod/sharedKeys",
"message": "Microsoft.OperationalInsights/workspaces/sharedKeys/action",
"hierarchy": "10000000-0000-4000-8000-000000000001/20000000-0000-4000-8000-000000000001"
},
"relatedEvents": []
}

MITRE ATT&CK Mapping

Tactics: Credential Access Discovery

Techniques:
  • T1552 — Unsecured Credentials — Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. [Shell History](https://attack.mitre.org/techniques/T1552/003)), operating system or applica...
  • T1526 — Cloud Service Discovery — An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can...