AZT503.2 - HTTP Trigger: Function App HTTP Trigger#
Adversaries may configure a Function Application with a user account or managed identity and modify the HTTP trigger to run a command via HTTP request.
Resource
Function App
Actions
- Microsoft.Web/sites/Write
- Microsoft.web/sites/functions/action
- Microsoft.web/sites/functions/write
Detections
Logs#
| Data Source | Operation Name | Action | Log Provider |
|---|---|---|---|
| Azure Active Directory | Update website | Microsoft.Web/sites/write | AuditLogs |
| Azure Active Directory | Start Web App | Microsoft.Web/sites/start/action | AuditLogs |
Queries#
| Platform | Query |
|---|---|
| Log Analytics | AuditLogs| where ActivityDisplayName == 'Update website' or ActivityDisplayName == 'Start Web App' |
Azure Monitor Alert#
Additional Resources
https://docs.microsoft.com/en-us/azure/azure-functions/functions-overview