AZT404.4 - Principal Impersonation: App Service#
By utilizing an App Service configured with a managed identity or other identity provider, an attacker can execute Azure operations on a given resource.
Resource
App Service
Actions
- Microsoft.Web/sites/write
Examples
Detections
Logs#
Data Source | Operation Name | Action | Log Location |
---|---|---|---|
Resource | Update website | Microsoft.Web/sites/write | Azure Activity Logs |
Resource | Start Web App | Microsoft.Web/sites/start/action | Azure Activity Logs |
Queries#
AzureActivity
|where OperationNameValue=="Microsoft.Web/sites/write" or OperationNameValue=="Microsoft.Web/sites/start/action"