Azure Suspect App Service Deployment Activity

Triggers

• Modification of an existing Azure Function App Service Deployment Slot with unusual parameters or logic.
• Unusual changes to App Service Deployment Slot triggers.
• Unusual creation or modification of an Azure Functions Deployment Slot by an unexpected or unauthorized user/service principal, potentially indicating malicious activity.

Possible Root Causes

• Compromised Principal Account: An attacker has gained access and is attempting unauthorized modifications.
• Development Activity: A developer is creating or modifying an Azure Function App Service runtime version.
• Automated Deployment: Previously unused deployment scripts are updating the function code or configuration.
• Legitimate Development Process: A developer is creating a new function or modifying an existing one as part of standard operations.

Business Impact

• Exposure of sensitive data through unauthorized access or data leaks.
• Security vulnerabilities exploited due to misconfigured functions.
• Unplanned changes to business logic or workflows.
• Potential data breaches, unauthorized access to sensitive resources, disruption of critical business services, and reputational damage.

Steps to Verify

• Review Azure Activity Logs: Investigate the user/service principal and the created or modified App Service Deployment Slots.
• Investigate Permissions: Check the user's or service principal's access levels within Azure.
• Correlate Security Alerts: Verify if other security alerts or notifications were triggered around the time of the suspicious event.
• Inspect Function Code: Analyze the Azure Function Deployment Slot code for signs of malicious activity.
• Consult Stakeholders: Work with Azure administrators, security teams, and relevant stakeholders to determine the cause and scope of the incident.