Skip to content

AZT503.2 - HTTP Trigger: Function App HTTP Trigger#

Adversaries may configure a Function Application with a user account or managed identity and modify the HTTP trigger to run a command via HTTP request.

Resource

Function App

Actions

  • Microsoft.Web/sites/Write
  • Microsoft.web/sites/functions/action
  • Microsoft.web/sites/functions/write

Examples

Detections

Logs#

Data Source Operation Name Action Log Location
Azure Active Directory Update website Microsoft.Web/sites/write AzureAD Audit Logs
Azure Active Directory Start Web App Microsoft.Web/sites/start/action AzureAD Audit Logs

Queries#

AuditLogs| where ActivityDisplayName == "Update website" or ActivityDisplayName == "Start Web App"