Azure Monitor Log
Analytics Workspace Key
Service Name: Azure Monitor Log Analytics
Service Description: Azure Monitor Log Analytics is a service that helps collect, analyze, and act on telemetry data from Azure and on-premises environments. It provides a powerful query language for analyzing log data and enables monitoring, alerting, and visualization of operational data.
Service Address: https://azure.microsoft.com/en-us/services/monitor/
Validation Type: API Auth
IP Allow list: IP restrictions can be configured at the workspace level using Azure Firewall or Network Security Groups.
Secret Access Scope: Grants access to query and manage Log Analytics workspaces, ingest data, and retrieve analytics.
Secret Revokement URL: https://learn.microsoft.com/en-us/azure/azure-monitor/logs/manage-access
Secret Example: 3edfcasdf98765432abcdef0987654321abcdefg==
Suspicious Activity Investigation Instructions:
- Review the Azure Activity Log for unusual operations on the Log Analytics workspace.
- Check for unexpected queries or data exports from the workspace.
- Monitor for unusual data ingestion patterns or volume spikes.
- Review workspace access logs for unauthorized IP addresses or users.
- Check for changes to workspace configuration or access policies.
Mitigation Instructions:
- Navigate to the Azure Portal and locate the affected Log Analytics workspace.
- Go to "Agents management" under the workspace settings.
- Regenerate the primary and/or secondary workspace keys.
- Update any legitimate applications or services with the new key.
- Review and restrict workspace access permissions to only necessary users and services.
- Consider implementing Azure Private Link for the workspace to restrict network access.
- Enable diagnostic settings to monitor access to the workspace.
- Implement Azure Policy to enforce security standards on the workspace.