Validating Azure Defender for App Service Alerts

Published Aug 24 2021 07:00 AM 1,509 Views
Microsoft

Disclaimer

This document is provided “as is.” MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.  This document does not provide you with any legal rights to any intellectual property in any Microsoft product.  You may copy and use this document for your internal, reference purposes.

 

Introduction

Azure Defender for App Service helps organizations be more secure by providing dedicated security analytics for your App Service resources. The purpose of this article is to provide specific guidance on how to validate Azure Defender for App Service alerts, by simulating a suspicious activity on applications running over App Service.

 

Preparation

The first step in validating Azure Defender alerts for App Service is to ensure that Azure Defender for App Service is enabled on the subscription(s) as shown in Figure 1, that you want to use to validate the alert.

Figure 1: Enabling Azure Defender for App Service on target subscription(s)Figure 1: Enabling Azure Defender for App Service on target subscription(s)

Enabling Azure Defender for App Service provides monitoring and threat detection for a multitude of threats to your App Service resources. Additionally, enabling Azure Defender for App Service, surfaces security findings with recommendations on how to harden your resources covered by the App Service plan. To learn more about Azure Defender for App Services, watch this video.  

 

Azure Defender plans can be enabled individually. For the purpose of validating the scenario covered in this article, pre-requisite is to solely enable Azure Defender for App Service.  

 

After enabling Azure Defender for App Service, you need to determine the scenario that you want to validate. Common scenarios that can be simulated range from php uploads, to NMAP scanning, or even Content Management System (CMS) fingerprinting. When determining the scenarios for which you would like to validate Azure Defender alerts, you can also consult the reference guide of Alerts for Azure App Service. Azure Defender for App Service alerts are mapped to and cover almost the complete MITRE ATT&CK tactics from pre-attack to command and control, which can be useful when deciding which scenario(s) you wish to simulate.

In case you wish to solely test that the pipeline is working, there is also a like alert for App Service which can be invoked by making a web request to a “/This_Will_Generate_ASC_Alert” URI. I.e. if your site is named ‘foo’, making a request to https://foo.azurewebsites.net/This_Will_Generate_ASC_Alert, will generate an alert similar to the one shown in Figure 2.

 

Figure 2: EICAR like alert for App ServiceFigure 2: EICAR like alert for App Service

In this article, we will simulate the scenario of accessing a suspicious PHP page located in the upload folder, which will generate the “PHP file in upload folder” alert. This type of folder doesn’t usually contain PHP files and its existence might indicate exploitation taking advantage of arbitrary file upload vulnerabilities.  

 

Implementing

In order to simulate this scenario, you could either use an existing Web App or create a new one. When creating a new Web App, you can deploy a PHP app to Azure App Service on Linux (as a runtime stack select PHP 7.4) The alert that will be generated applies to both App Service on Linux and Windows. Once you’ve created the  App Service Plan and the Web App, install Wordpress 5.8 (including  creating an Azure Database for MySQL server). To learn more about how to create a PHP Web App in Azure App Service, read this guidance.

Note: In most cases, once a new web site is created, it might take up to 12h for alerts related to a newly created web site to appear.

 

To simulate the scenario of accessing a suspicious PHP page located in the upload folder, a PHP page is required. You can use the sample below to create a test PHP page (shown in Figure 3) and save it as a PHP file.

Figure 3: Test PHP pageFigure 3: Test PHP page

Afterwards, navigate to “/wp-content/uploads/2021/08/” (alternatively you can create

Figure 4: Uploading test PHP page to folder in the websiteFigure 4: Uploading test PHP page to folder in the website

Important: After you’ve uploaded the PHP file to this folder, you need to browse to this PHP page using a browser (similarly to Figure 5). Please note that the output on the page, will depend on the code in your test PHP file.

 

Figure 5: Browse to test PHP file using your browserFigure 5: Browse to test PHP file using your browser

Validating

 

Once Azure Defender for App Service generates the alert on target subscription(s), you can find it in the “Security alerts” section of the Azure Security Center dashboard. Selecting the generated alert (in this case “PHP file in upload folder”) will open a blade, which provides more context and rich metadata about the alert (similar to Figure 6).

Figure 6: “PHP file in upload folder” Security AlertFigure 6: “PHP file in upload folder” Security Alert

When validating the alerts, be sure to consult the full list of App Service alerts.

You can also export Azure Defender alerts to a SIEM (i.e. Azure Sentinel or 3rd party SIEM).

 

Final Considerations

Azure Defender for App Service is all about providing threat detection and security recommendations for applications running over App Service. This article  focuses on validating alerts for Azure Defender for App Service, by simulating a specific scenario, namely accessing a suspicious PHP page located in the upload folder. Properly executing the steps outlined in this article generates the security alert “PHP file in upload folder”. This article is not intended to cover all scenarios, but it does provide real value as you get started with validating Azure Defender for App Service alerts. Remember to keep an eye out for other article from this series, which can be found on our official ASC Tech Community.

 

Reviewers:

@Yuri Diogenes, Principal PM

@Tomer Spivak, Senior PM

 

Contributors:

Dotan Patrich, Principal Software Engineer,

Yossi Weizman, Senior Security Researcher

Ram Pliskin, Senior Security Researcher Manager

Lior Arviv, Senior PM

%3CLINGO-SUB%20id%3D%22lingo-sub-2656230%22%20slang%3D%22en-US%22%3EValidating%20Azure%20Defender%20for%20App%20Service%20Alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2656230%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3EDisclaimer%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3EThis%20document%20is%20provided%20%E2%80%9Cas%20is.%E2%80%9D%20MICROSOFT%20MAKES%20NO%20WARRANTIES%2C%20EXPRESS%20OR%20IMPLIED%2C%20IN%20THIS%20DOCUMENT.%26nbsp%3B%20This%20document%20does%20not%20provide%20you%20with%20any%20legal%20rights%20to%20any%20intellectual%20property%20in%20any%20Microsoft%20product.%26nbsp%3B%20You%20may%20copy%20and%20use%20this%20document%20for%20your%20internal%2C%20reference%20purposes.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CSPAN%3EIntroduction%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EAzure%20Defender%20for%20App%20Service%20helps%20organizations%20be%20more%20secure%20by%20providing%20dedicated%20security%20analytics%20for%20your%20App%20Service%20resources.%20The%20purpose%20of%20this%20article%20is%20to%20provide%20specific%20guidance%20on%20how%20to%20validate%20Azure%20Defender%20for%20App%20Service%20alerts%2C%20by%20simulating%20a%20suspicious%20activity%20on%20applications%20running%20over%20App%20Service.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CSPAN%3EPreparation%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EThe%20first%20step%20in%20validating%20Azure%20Defender%20alerts%20for%20App%20Service%20is%20to%20ensure%20that%20Azure%20Defender%20for%20App%20Service%20is%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Fenable-azure-defender%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Eenabled%3C%2FA%3E%20on%20the%20subscription(s)%20as%20shown%20in%20Figure%201%2C%20that%20you%20want%20to%20use%20to%20validate%20the%20alert.%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22BojanMagusic_12-1629207637396.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F303754iC1C5E5770DE2DC80%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22BojanMagusic_12-1629207637396.png%22%20alt%3D%22Figure%201%3A%20Enabling%20Azure%20Defender%20for%20App%20Service%20on%20target%20subscription(s)%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EFigure%201%3A%20Enabling%20Azure%20Defender%20for%20App%20Service%20on%20target%20subscription(s)%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3EEnabling%20Azure%20Defender%20for%20App%20Service%20provides%20monitoring%20and%20threat%20detection%20for%20a%20multitude%20of%20threats%20to%20your%20App%20Service%20resources.%20Additionally%2C%20enabling%20Azure%20Defender%20for%20App%20Service%2C%20surfaces%20security%20findings%20with%20recommendations%20on%20how%20to%20harden%20your%20resources%20covered%20by%20the%20App%20Service%20plan.%20To%20learn%20more%20about%20Azure%20Defender%20for%20App%20Services%2C%20watch%20%3CA%20href%3D%22https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DWtbAcN97p5A%26amp%3Blist%3DPL3ZTgFEc7LysTt_FBVZ1Bw8CyyyPraHGr%26amp%3Bindex%3D31%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ethis%20video%3C%2FA%3E.%20%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EAzure%20Defender%20plans%20can%20be%20enabled%20individually.%20For%20the%20purpose%20of%20validating%20the%20scenario%20covered%20in%20this%20article%2C%20pre-requisite%20is%20to%20solely%20enable%20Azure%20Defender%20for%20App%20Service.%20%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EAfter%20enabling%20Azure%20Defender%20for%20App%20Service%2C%20you%20need%20to%20determine%20the%20scenario%20that%20you%20want%20to%20validate.%20Common%20scenarios%20that%20can%20be%20simulated%20range%20from%20php%20uploads%2C%20to%20NMAP%20scanning%2C%20or%20even%20Content%20Management%20System%20(CMS%3C%2FSPAN%3E%3CSPAN%3E)%20fingerprinting.%20When%20determining%20the%20scenarios%20for%20which%20you%20would%20like%20to%20validate%20Azure%20Defender%20alerts%2C%20you%20can%20also%20consult%20the%20reference%20guide%20of%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Falerts-reference%23alerts-azureappserv%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAlerts%20for%20Azure%20App%20Service%3C%2FA%3E.%20Azure%20Defender%20for%20App%20Service%20alerts%20are%20mapped%20to%20and%20cover%20almost%20the%20complete%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Fdefender-for-app-service-introduction%23what-threats-can-azure-defender-for-app-service-detect%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EMITRE%20ATT%26amp%3BCK%20tactics%3C%2FA%3E%20from%20pre-attack%20to%20command%20and%20control%2C%20which%20can%20be%20useful%20when%20deciding%20which%20scenario(s)%20you%20wish%20to%20simulate.%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EIn%20case%20you%20wish%20to%20solely%20test%20that%20the%20pipeline%20is%20working%2C%20there%20is%20also%20a%20%3C%2FSPAN%3E%3CSPAN%3Elike%20alert%20for%20App%20Service%20which%20can%20be%20invoked%20by%20making%20a%20web%20request%20to%20a%20%E2%80%9C%3CEM%3E%2FThis_Will_Generate_ASC_Alert%3C%2FEM%3E%E2%80%9D%20URI.%20I.e.%20if%20your%20site%20is%20named%20%E2%80%98foo%E2%80%99%2C%20making%20a%20request%20to%20%3CA%20href%3D%22https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Ffoo.azurewebsites.net%252FThis_Will_Generate_ASC_Alert%26amp%3Bdata%3D04%257C01%257CBojan.Magusic%2540microsoft.com%257C377ae82ed5d441347def08d957834354%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C637637043600436113%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C1000%26amp%3Bsdata%3DSbZvXcHi0KX6XHGaqGNIJmJDra2jPxhN2J8ojNn7ouM%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Ffoo.azurewebsites.net%2FThis_Will_Generate_ASC_Alert%3C%2FA%3E%2C%20will%20generate%20an%20alert%20similar%20to%20the%20one%20shown%20in%20Figure%202.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22BojanMagusic_13-1629207637405.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F303755i246A71560CCF4DED%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22BojanMagusic_13-1629207637405.png%22%20alt%3D%22Figure%202%3A%20EICAR%20like%20alert%20for%20App%20Service%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EFigure%202%3A%20EICAR%20like%20alert%20for%20App%20Service%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EIn%20this%20article%2C%20we%20will%20simulate%20the%20scenario%20of%20accessing%20a%20suspicious%20PHP%20page%20located%20in%20the%20upload%20folder%2C%20which%20will%20generate%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Falerts-reference%23alerts-azureappserv%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%E2%80%9CPHP%20file%20in%20upload%20folder%E2%80%9D%3C%2FA%3E%20alert.%20This%20type%20of%20folder%20doesn%E2%80%99t%20usually%20contain%20PHP%20files%20and%20its%20existence%20might%20indicate%20exploitation%20taking%20advantage%20of%20arbitrary%20file%20upload%20vulnerabilities.%20%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EImplementing%20%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EIn%20order%20to%20simulate%20this%20scenario%2C%20you%20%3C%2FSPAN%3E%3CSPAN%3Ecould%20either%20use%20an%20existing%20Web%20App%20or%20create%20a%20new%20one.%20When%20creating%20a%20new%20Web%20App%2C%20you%20can%20deploy%20a%20PHP%20app%20to%20Azure%20App%20Service%20on%20Linux%20(as%20a%20runtime%20stack%20select%20PHP%207.4)%20The%20alert%20that%20will%20be%20generated%20applies%20to%20both%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Falerts-reference%23alerts-azureappserv%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EApp%20Service%20on%20Linux%20and%20Windows%3C%2FA%3E.%20Once%20you%E2%80%99ve%20created%20the%20%26nbsp%3BApp%20Service%20Plan%20and%20the%20Web%20App%2C%20install%20Wordpress%205.8%20(including%20%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ecreating%20an%20Azure%20Database%20for%20MySQL%20server).%20To%20learn%20more%20about%20how%20to%20create%20a%20PHP%20Web%20App%20in%20Azure%20App%20Service%2C%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fapp-service%2Fquickstart-php%3Fpivots%3Dplatform-linux%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Eread%20this%20guidance%3C%2FA%3E.%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ENote%3CU%3E%3A%3C%2FU%3E%20In%20most%20cases%2C%20once%20a%20new%20web%20site%20is%20created%2C%20it%20might%20take%20up%20to%2012h%20for%20alerts%20related%20to%20a%20newly%20created%20web%20site%20to%20appear.%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ETo%20simulate%20the%20scenario%20of%20accessing%20a%20suspicious%20PHP%20page%20located%20in%20the%20upload%20folder%2C%20a%20PHP%20page%20is%20required.%20You%20can%20use%20the%20sample%20below%20to%20create%20a%20test%20PHP%20page%20(shown%20in%20Figure%203)%20and%20save%20it%20as%20a%20PHP%20file.%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22BojanMagusic_14-1629207637409.png%22%20style%3D%22width%3A%20968px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F303753iA1DBDA3B218DF895%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22BojanMagusic_14-1629207637409.png%22%20alt%3D%22Figure%203%3A%20Test%20PHP%20page%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EFigure%203%3A%20Test%20PHP%20page%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EAfterwards%2C%20navigate%20to%20%E2%80%9C%3CEM%3E%2Fwp-content%2Fuploads%2F2021%2F08%2F%3C%2FEM%3E%E2%80%9D%20(alternatively%20you%20can%20create%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22BojanMagusic_15-1629207637415.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F303757i3CBE4AE9B1E42F80%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22BojanMagusic_15-1629207637415.png%22%20alt%3D%22Figure%204%3A%20Uploading%20test%20PHP%20page%20to%20folder%20in%20the%20website%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EFigure%204%3A%20Uploading%20test%20PHP%20page%20to%20folder%20in%20the%20website%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CU%3E%3CSPAN%3EImportant%3C%2FSPAN%3E%3C%2FU%3E%3C%2FSTRONG%3E%3CSPAN%3E%3A%20After%20you%E2%80%99ve%20%3C%2FSPAN%3E%3CSPAN%3Euploaded%20the%20PHP%20file%20to%20this%20folder%2C%20you%20need%20to%20browse%20to%20this%20PHP%20page%20using%20a%20browser%20(similarly%20to%20Figure%205).%20Please%20note%20that%20the%20output%20on%20the%20page%2C%20will%20depend%20on%20the%20code%20in%20your%20test%20PHP%20file.%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22BojanMagusic_16-1629207637416.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F303756i38E0A2BE3AEE0626%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22BojanMagusic_16-1629207637416.png%22%20alt%3D%22Figure%205%3A%20Browse%20to%20test%20PHP%20file%20using%20your%20browser%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EFigure%205%3A%20Browse%20to%20test%20PHP%20file%20using%20your%20browser%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EValidating%20%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EOnce%20Azure%20Defender%20for%20App%20Service%20generates%20the%20alert%20on%20target%20subscription(s)%2C%20you%20can%20find%20it%20in%20the%20%E2%80%9C%3CEM%3ESecurity%20alerts%3C%2FEM%3E%E2%80%9D%20section%20of%20the%20Azure%20Security%20Center%20dashboard.%20Selecting%20the%20generated%20alert%20(in%20this%20case%20%E2%80%9C%3CEM%3EPHP%20file%20in%20upload%20folder%3C%2FEM%3E%E2%80%9D)%20will%20open%20a%20blade%2C%20which%20provides%20more%20context%20and%20rich%20metadata%20about%20the%20alert%20(similar%20to%20Figure%206).%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22BojanMagusic_17-1629207637423.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F303758i528D8B097EBC1166%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22BojanMagusic_17-1629207637423.png%22%20alt%3D%22Figure%206%3A%20%E2%80%9CPHP%20file%20in%20upload%20folder%E2%80%9D%20Security%20Alert%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EFigure%206%3A%20%E2%80%9CPHP%20file%20in%20upload%20folder%E2%80%9D%20Security%20Alert%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EWhen%20validating%20the%20alerts%2C%20be%20sure%20to%20consult%20the%20%3CA%20style%3D%22background-color%3A%20%23ffffff%3B%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Falerts-reference%23alerts-azureappserv%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Efull%20list%20of%20App%20Service%20alerts%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EYou%20can%20also%20export%20Azure%20Defender%20alerts%20to%20a%20SIEM%20(i.e.%20Azure%20Sentinel%20or%203%3CSUP%3Erd%3C%2FSUP%3E%20party%20SIEM).%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Fexport-to-siem%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ELearn%20more%20about%20how%20to%20stream%20alerts%20to%20a%20SIEM%2C%20SOAR%20or%20ITSM.%3C%2FA%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-security-center%2Finvestigate-azure-security-center-alerts-using-azure-sentinel%2Fba-p%2F1986759%22%20target%3D%22_blank%22%3ELearn%20more%20about%20how%20to%20investigate%20Azure%20Security%20Center%20alerts%20using%20Azure%20Sentinel.%20%3C%2FA%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3ELearn%20more%20about%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fanalysing-web-shell-attacks-with-azure-defender-data-in-azure%2Fba-p%2F1724130%22%20target%3D%22_blank%22%3EAnalysing%20Web%20Shell%20Attacks%20with%20Azure%20Defender%20data%20in%20Azure%20Sentinel%20-%20Microsoft%20Tech%20Community%3C%2FA%3E.%20%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CSPAN%3EFinal%20Considerations%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EAzure%20Defender%20for%20App%20Service%20is%20all%20about%20providing%20threat%20detection%20and%20security%20recommendations%20for%20applications%20running%20over%20App%20Service.%20This%20article%20%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Efocuses%20on%20validating%20alerts%20for%20Azure%20Defender%20for%20App%20Service%2C%20by%20simulating%20a%20specific%20scenario%2C%20namely%20accessing%20a%20suspicious%20PHP%20page%20located%20in%20the%20upload%20folder.%20Properly%20executing%20the%20steps%20outlined%20in%20this%20article%20generates%20the%20security%20alert%20%E2%80%9C%3CEM%3EPHP%20file%20in%20upload%20folder%3C%2FEM%3E%E2%80%9D.%20This%20article%20is%20not%20intended%20to%20cover%20all%20scenarios%2C%20but%20it%20does%20provide%20real%20value%20as%20you%20get%20started%20with%20validating%20Azure%20Defender%20for%20App%20Service%20alerts.%20Remember%20to%20keep%20an%20eye%20out%20for%20other%20article%20from%20this%20series%2C%20which%20can%20be%20found%20on%20our%20official%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-security-center%2Fbg-p%2FAzureSecurityCenterBlog%22%20target%3D%22_blank%22%3EASC%20Tech%20Community%3C%2FA%3E.%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CSPAN%3EReviewers%3A%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F124214%22%20target%3D%22_blank%22%3E%40Yuri%20Diogenes%3C%2FA%3E%2C%20Principal%20PM%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%40Tomer%20Spivak%2C%20Senior%20PM%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CSPAN%3EContributors%3A%20%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EDotan%20Patrich%2C%20Principal%20Software%20Engineer%2C%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EYossi%20Weizman%2C%20Senior%20Security%20Researcher%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ERam%20Pliskin%2C%20Senior%20Security%20Researcher%20Manager%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ELior%20Arviv%2C%20Senior%20PM%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Co-Authors
Version history
Last update:
‎Aug 30 2021 10:05 AM
Updated by: