Skip to content

AZT404.2 - Principal Impersonation: Logic Application#

By utilizing a Logic Application configured with a managed identity or other identity provider, an attacker can execute Azure operations on a given resource.

Resource

Logic Application

Actions

  • Microsoft.Logic/workflows/write
  • Microsoft.Logic/workflows/run/action
  • Microsoft.Logic/operations/read

Detections

Logs#

Data Source Operation Name Action Log Location
Resource Gets workflow recommend operation groups Microsoft.Logic/locations/workflows/recommendOperationGroups/action Azure Activity Log
Resource List Trigger Callback URL Microsoft.Logic/workflows/triggers/listCallbackUrl/action Azure Activity Log
Resource Add or Update Connection Microsoft.Web/connections/write Azure Activity Log
Azure Active Directory Update website Microsoft.Web/sites/write AzureAD Audit Logs
Azure Active Directory Start Web App Microsoft.Web/sites/start/action AzureAD Audit Logs

Queries#

AzureActivity 
 |where OperationNameValue=="Microsoft.Logic/locations/workflows/recommendOperationGroups/action" or OperationNameValue=="Microsoft.Logic/workflows/triggers/listCallbackUrl/action"
or OperationNameValue=="Microsoft.Web/connections/write" or OperationNameValue=="Microsoft.Web/sites/write" or OperationNameValue=="Microsoft.Web/sites/start/action"