AZT503.2 - HTTP Trigger: Function App HTTP Trigger#
Adversaries may configure a Function Application with a user account or managed identity and modify the HTTP trigger to run a command via HTTP request.
Resource
Function App
Actions
- Microsoft.Web/sites/Write
- Microsoft.web/sites/functions/action
- Microsoft.web/sites/functions/write
Detections
Logs#
| Data Source | Operation Name | Action | Log Location |
|---|---|---|---|
| Azure Active Directory | Update website | Microsoft.Web/sites/write | AzureAD Audit Logs |
| Azure Active Directory | Start Web App | Microsoft.Web/sites/start/action | AzureAD Audit Logs |
Queries#
AuditLogs| where ActivityDisplayName == "Update website" or ActivityDisplayName == "Start Web App"
Additional Resources
https://docs.microsoft.com/en-us/azure/azure-functions/functions-overview