Skip to content

AZT503.1 - HTTP Trigger: Logic Application HTTP Trigger#

Adversaries may configure a Logic Application with a user account or managed identity and modify the HTTP trigger to run a command via HTTP request.

Resource

Logic Application

Actions

  • Microsoft.Logic/workflows/write
  • Microsoft.Logic/workflows/run/action
  • Microsoft.Logic/operations/read

Detections

Logs#

Data Source Operation Name Action Log Location
Resource Gets workflow recommend operation groups Microsoft.Logic/locations/workflows/recommendOperationGroups/action Azure Activity Log
Resource List Trigger Callback URL Microsoft.Logic/workflows/triggers/listCallbackUrl/action Azure Activity Log
Resource Add or Update Connection Microsoft.Web/connections/write Azure Activity Log

Queries#

|where OperationNameValue=="Microsoft.Logic/locations/workflows/recommendOperationGroups/action" or OperationNameValue=="Microsoft.Logic/workflows/triggers/listCallbackUrl/action"orOperationNameValue=="Microsoft.Web/connections/write"