Query Details
Azure Log Analytics Detectwhen Workspace Keysare Read
Query
//Detect when the workspace keys to an Azure log analytics workspace are read
//Data connector required for this query - Azure Activity
AzureActivity
| where OperationNameValue == "MICROSOFT.OPERATIONALINSIGHTS/WORKSPACES/SHAREDKEYS/ACTION"
| extend WorkspaceName = tostring(parse_json(Properties).resource)
| where ActivityStatusValue == "Success"
| project
TimeGenerated,
Actor=Caller,
['Log Analytics Workspace Name']=WorkspaceName,
['Actor IP Address']=CallerIpAddress,
['Azure Subscription Id']=SubscriptionId,
['Azure Resource Group']=ResourceGroupExplanation
This query detects when the keys to an Azure log analytics workspace are read. It uses the Azure Activity data connector and filters for operations related to reading the shared keys of a workspace. It then extracts the workspace name, filters for successful activities, and projects specific columns including the time generated, actor (caller), workspace name, actor IP address, Azure subscription ID, and Azure resource group.
Details
Matt Zorich
Released: June 17, 2022
Tables
AzureActivity
Keywords
AzureActivity,OperationNameValue,MICROSOFT.OPERATIONALINSIGHTS/WORKSPACES/SHAREDKEYS/ACTION,Properties,resource,WorkspaceName,ActivityStatusValue,Success,TimeGenerated,Actor,Caller,LogAnalyticsWorkspaceName,ActorIPAddress,CallerIpAddress,AzureSubscriptionId,SubscriptionId,AzureResourceGroup,ResourceGroup
Operators
AzureActivitywhere=="MICROSOFT.OPERATIONALINSIGHTS/WORKSPACES/SHAREDKEYS/ACTION"extendtostringparse_jsonPropertiesresourceActivityStatusValueprojectTimeGeneratedActor=Caller['Log Analytics Workspace Name']=WorkspaceName['Actor IP Address']=CallerIpAddress['Azure Subscription Id']=SubscriptionId['Azure Resource Group']=ResourceGroup