Azure Suspect App Service Deployment Activity

Azure Suspect App Service Deployment Activity

Detection overview

Triggers

  • Modification of an existing Azure Function App Service Deployment Slot with unusual parameters or logic.
  • Unusual changes to App Service Deployment Slot triggers.
  • Unusual creation or modification of an Azure Functions Deployment Slot by an unexpected or unauthorized user/service principal, potentially indicating malicious activity.

Possible Root Causes

  • Compromised Principal Account: An attacker has gained access and is attempting unauthorized modifications.
  • Development Activity: A developer is creating or modifying an Azure Function App Service runtime version.
  • Automated Deployment: Previously unused deployment scripts are updating the function code or configuration.
  • Legitimate Development Process: A developer is creating a new function or modifying an existing one as part of standard operations.

Business Impact

  • Exposure of sensitive data through unauthorized access or data leaks.
  • Security vulnerabilities exploited due to misconfigured functions.
  • Unplanned changes to business logic or workflows.
  • Potential data breaches, unauthorized access to sensitive resources, disruption of critical business services, and reputational damage.

Steps to Verify

  • Review Azure Activity Logs: Investigate the user/service principal and the created or modified App Service Deployment Slots.
  • Investigate Permissions: Check the user's or service principal's access levels within Azure.
  • Correlate Security Alerts: Verify if other security alerts or notifications were triggered around the time of the suspicious event.
  • Inspect Function Code: Analyze the Azure Function Deployment Slot code for signs of malicious activity.
  • Consult Stakeholders: Work with Azure administrators, security teams, and relevant stakeholders to determine the cause and scope of the incident.
Azure Suspect App Service Deployment Activity

Possible root causes

Malicious Detection

Benign Detection

Azure Suspect App Service Deployment Activity

Example scenarios

Azure Suspect App Service Deployment Activity

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

Azure Suspect App Service Deployment Activity

Steps to investigate

Azure Suspect App Service Deployment Activity

MITRE ATT&CK techniques covered

Azure Suspect App Service Deployment Activity

Related detections

No items found.

FAQs