AZT601.3 - Steal Managed Identity JsonWebToken: Logic Application JWT PUT Request#
If a Logic App is using a Managed Identity, an adversary can modify the logic to make an HTTP POST request to reveal the Managed Identity's JWT.
Resource
Logic Application
Actions
- Microsoft.Logic/workflows/write
- Microsoft.Logic/workflows/run/action
- Microsoft.Logic/operations/read
Examples
Detections
Logs#
Data Source | Operation Name | Action | Log Location |
---|---|---|---|
Resource | Gets workflow recommend operation groups | Microsoft.Logic/locations/workflows/recommendOperationGroups/action | Azure Activity Log |
Resource | List Trigger Callback URL | Microsoft.Logic/workflows/triggers/listCallbackUrl/action | Azure Activity Log |
Resource | Add or Update Connection | Microsoft.Web/connections/write | Azure Activity Log |
Queries#
|where OperationNameValue=="Microsoft.Logic/locations/workflows/recommendOperationGroups/action" or OperationNameValue=="Microsoft.Logic/workflows/triggers/listCallbackUrl/action"orOperationNameValue=="Microsoft.Web/connections/write"
Additional Resources
https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-overview