Skip to content

AZT603.1 - Service Principal Secret Reveal: Function App Settings#

If a Function App is using a service principal for authentication, an adversary may manipulate the function app logic to reveal the service principal's secret in plain text.

Resource

Function App

Actions

  • Microsoft.web/sites/functions/read
  • Microsoft.Web/sites/read
  • Microsoft.Web/sites/config/list/action

Detections

Detection Details#

No logs are generated when retrieving the settings of a function app.

Queries#

Platform Query
Log Analytics AADServicePrincipalSignInLogs | where ServicePrincipalName == 'NAMEOFFUNCTIONAPP'

Azure Monitor Alert#

Deploy to Azure