Validating Microsoft Defender for App Service Alerts
Disclaimer This document is provided “as is.” MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. Introduction Microsoft Defender for App Service helps organizations be more secure by providing dedicated security analytics for your App Service resources. The purpose of this article is to provide specific guidance on how to validate Microsoft Defender for App Service alerts, by simulating a suspicious activity on applications running over App Service. Preparation The first step in validating Microsoft Defender alerts for App Service is to ensure that Microsoft Defender for App Service is enabled on the subscription(s) as shown in Figure 1, that you want to use to validate the alert. Enabling Microsoft Defender for App Service provides monitoring and threat detection for a multitude of threats to your App Service resources. Additionally, enabling Microsoft Defender for App Service, surfaces security findings with recommendations on how to harden your resources covered by the App Service plan. To learn more about Microsoft Defender for App Services, watch this video. Microsoft Defender for Cloud plans can be enabled individually. For the purpose of validating the scenario covered in this article, pre-requisite is to solely enable Microsoft Defender for App Service. After enabling Microsoft Defender for App Service, you need to determine the scenario that you want to validate. Common scenarios that can be simulated range from php uploads, to NMAP scanning, or even Content Management System (CMS) fingerprinting. When determining the scenarios for which you would like to validate alerts, you can also consult the reference guide of Alerts for Azure App Service. Microsoft Defender for App Service alerts are mapped to and cover almost the complete MITRE ATT&CK tactics from pre-attack to command and control, which can be useful when deciding which scenario(s) you wish to simulate. In case you wish to solely test that the pipeline is working, there is also a like alert for App Service which can be invoked by making a web request to a “/This_Will_Generate_ASC_Alert” URI. I.e. if your site is named ‘foo’, making a request to https://foo.azurewebsites.net/This_Will_Generate_ASC_Alert, will generate an alert similar to the one shown in Figure 2. In this article, we will simulate the scenario of accessing a suspicious PHP page located in the upload folder, which will generate the “PHP file in upload folder” alert. This type of folder doesn’t usually contain PHP files and its existence might indicate exploitation taking advantage of arbitrary file upload vulnerabilities. Implementing In order to simulate this scenario, you could either use an existing Web App or create a new one. When creating a new Web App, you can deploy a PHP app to Azure App Service on Linux (as a runtime stack select PHP 7.4) The alert that will be generated applies to both App Service on Linux and Windows. Once you’ve created the App Service Plan and the Web App, install Wordpress 5.8 (including creating an Azure Database for MySQL server). To learn more about how to create a PHP Web App in Azure App Service, read this guidance. Note: In most cases, once a new web site is created, it might take up to 12h for alerts related to a newly created web site to appear. To simulate the scenario of accessing a suspicious PHP page located in the upload folder, a PHP page is required. You can use the sample below to create a test PHP page (shown in Figure 3) and save it as a PHP file. Afterwards, navigate to “/wp-content/uploads/2021/08/” and upload the file. Important: After you’ve uploaded the PHP file to this folder, you need to browse to this PHP page using a browser (similarly to Figure 5). Please note that the output on the page, will depend on the code in your test PHP file. Validating Once Microsoft Defender for App Service generates the alert on target subscription(s), you can find it in the “Security alerts” section of the Microsoft Defender for Cloud dashboard. Selecting the generated alert (in this case “PHP file in upload folder”) will open a blade, which provides more context and rich metadata about the alert (similar to Figure 6). When validating the alerts, be sure to consult the full list of App Service alerts. You can also export Microsoft Defender for Cloud alerts to a SIEM (i.e. Azure Sentinel or 3 rd party SIEM). Learn more about how to stream alerts to a SIEM, SOAR or ITSM. Learn more about how to investigate Microsoft Defender for Cloud alerts using Azure Sentinel. Learn more about Analysing Web Shell Attacks with Microsoft Defender for Cloud data in Azure Sentinel - Microsoft Tech Community. Final Considerations Microsoft Defender for App Service is all about providing threat detection and security recommendations for applications running over App Service. This article focuses on validating alerts for Microsoft Defender for App Service, by simulating a specific scenario, namely accessing a suspicious PHP page located in the upload folder. Properly executing the steps outlined in this article generates the security alert “PHP file in upload folder”. This article is not intended to cover all scenarios, but it does provide real value as you get started with validating Microsoft Defender for App Service alerts. Remember to keep an eye out for other article from this series, which can be found on our official ASC Tech Community. Reviewers: @Yuri Diogenes, Principal PM @Tomer Spivak, Senior PM Contributors: Dotan Patrich, Principal Software Engineer, Yossi Weizman, Senior Security Researcher Ram Pliskin, Senior Security Researcher Manager Lior Arviv, Senior PM
New innovations to protect custom AI applications with Defender for Cloud
Today’s blog post introduced new capabilities to enhance AI security and governance across multi-model and multi-cloud environments. This follow-on blog post dives deeper into how Microsoft Defender for Cloud can help organizations protect their custom-built AI applications. The AI revolution has been transformative for organizations, driving them to integrate sophisticated AI features and products into their existing systems to maintain a competitive edge. However, this rapid development often outpaces their ability to establish adequate security measures for these advanced applications. Moreover, traditional security teams frequently lack the visibility and actionable insights needed, leaving organizations vulnerable to increasingly sophisticated attacks and struggling to protect their AI resources. To address these challenges, we are excited to announce the general availability (GA) of threat protection for AI services, a capability that enhances threat protection in Microsoft Defender for Cloud. Starting May 1, 2025, the new Defender for AI Services plan will support models in Azure AI and Azure OpenAI Services. Note: Effective May 1, 2025, the price for Defender for AI Services will change to $0.002 per 1,000 tokens per month (USD – list price). “Security is paramount at Icertis. That’s why we've partnered with Microsoft to host our Contract Intelligence platform on Azure, fortified by Microsoft Defender for Cloud. As large language models (LLMs) became mainstream, our Icertis ExploreAI Service leveraged generative AI and proprietary models to transform contract management and create value for our customers. Microsoft Defender for Cloud emerged as our natural choice for the first line of defense against AI-related threats. It meticulously evaluates the security of our Azure OpenAI deployments, monitors usage patterns, and promptly alerts us to potential threats. These capabilities empower our Security Operations Center (SOC) teams to make more informed decisions based on AI detections, ensuring that our AI-driven contract management remains secure, reliable, and ahead of emerging threats.” Subodh Patil, Principal Cyber Security Architect at Icertis With these new threat protection capabilities, security teams can: Monitor suspicious activity in Azure AI resources, abiding by security frameworks like the OWASP Top 10 threats for LLM applications to defend against attacks on AI applications, such as direct and indirect prompt injections, wallet abuse, suspicious access to AI resources, and more. Triage and act on detections using contextual and insightful evidence, including prompt and response evidence, application and user context, grounding data origin breadcrumbs, and Microsoft Threat Intelligence details. Gain visibility from cloud to code (right to left) for better posture discovery and remediation by translating runtime findings into posture insights, like smart discovery of grounding data sources. Requires Defender CSPM posture plan to be fully utilized. Leverage frictionless onboarding with one-click, agentless enablement on Azure resources. This includes native integrations to Defender XDR, enabling advanced hunting and incident correlation capabilities. Detect and protect against AI threats Defender for Cloud helps organizations secure their AI applications from the latest threats. It identifies vulnerabilities and protects against sophisticated attacks, such as jailbreaks, invisible encodings, malicious URLs, and sensitive data exposure. It also protects against novel threats like ASCII smuggling, which could otherwise compromise the integrity of their AI applications. Defender for Cloud helps ensure the safety and reliability of critical AI resources by leveraging signals from prompt shields, AI analysis, and Microsoft Threat Intelligence. This provides comprehensive visibility and context, enabling security teams to quickly detect and respond to suspicious activities. Prompt analysis-based detections aren’t the full story. Detections are also designed to analyze the application and user behavior to detect anomalies and suspicious behavior patterns. Analysts can leverage insights into user context, application context, access patterns, and use Microsoft Threat Intelligence tools to uncover complex attacks or threats that escape prompt-based content filtering detectors. For example, wallet attacks are a common threat where attackers aim to cause financial damage by abusing resource capacity. These attacks often appear innocent because the prompts' content looks harmless. However, the attacker's intention is to exploit the resource capacity when left unconstrained. While these prompts might go unnoticed as they don't contain suspicious content, examining the application's historical behavior patterns can reveal anomalies and lead to detection. Respond and act on AI detections effectively The lack of visibility into AI applications is a real struggle for security teams. The detections contain evidence that is hard or impossible for most SOC analysts to access. For example, in the below credential exposure detection, the user was able to solicit secrets from the organizational data connected to the Contoso Outdoors chatbot app. How would the analyst go about understanding this detection? The detection evidence shows the user prompt and the model response (secrets are redacted). The evidence also explicitly calls out what kind of secret was exposed. The prompt evidence of this suspicious interaction is rarely stored, logged, or accessible anywhere outside the detection. The prompt analysis engine also tied the user request to the model response, making sense of the interaction. What is most helpful in this specific detection is the application and user context. The application name instantly assists the SOC in determining if this is a valid scenario for this application. Contoso Outdoors chatbot is not supposed to access organizational secrets, so this is worrisome. Next, the user context reveals who was exposed to the data, through what IP (internal or external) and their supposed intention. Most AI applications are built behind AI gateways, proxies, or Azure API Management (APIM) instances, making it challenging for SOC analysts to obtain these details through conventional logging methods or network solutions. Defender for Cloud addresses this issue by using a straightforward approach that fetches these details directly from the application’s API request to Azure AI. Now, the analyst can reach out to the user (internal) or block (external) the identity or the IP. t about Contoso Outdoors AI application, showing user context details of IP and identity. Finally, to resolve this incident, the SOC analyst intends to remove and decommission the secret to mitigate the impact of the exposure. The final piece of evidence presented reveals the origin of the exposed data. This evidence substantiates the fact that the leak is genuine and originates from internal organizational data. It also provides the analyst with a critical breadcrumb trail to successfully remove the secret from the data store and communicate with the owner on next steps. Trace the invisible lines between your AI application and the grounding sources Defender for Cloud excels in continuous feedback throughout the application lifecycle. While posture capabilities help triage detections, runtime protection provides crucial insights from traffic analysis, such as discovering data stores used for grounding AI applications. The AI application's connection to these stores is often hidden from current control or data plane tools. The credential leak example provided a real-world connection that was then integrated into our resource graph, uncovering previously overlooked data stores. Tagging these stores improves attack path and risk factor identification during posture scanning, ensuring safe configuration. This approach reinforces the feedback loop between runtime protection and posture assessment, maximizing cloud-native application protection platform (CNAPP) effectiveness. Align with AI security frameworks Our guiding principle is widely recognized by OWASP Top 10 for LLMs. By combining our posture capabilities with runtime monitoring, we can comprehensively address a wide range of threats, enabling us to proactively prepare for and detect AI-specific breaches with Defender for Cloud. As the industry evolves and new regulations emerge, frameworks such as OWASP, the EU AI Act, and NIST 600-1 are shaping security expectations. Our detections are aligned with these frameworks as well as the MITRE ATLAS framework, ensuring that organizations stay compliant and are prepared for future regulations and standards. Get started with threat protection for AI services To get started with threat protection capabilities in Defender for Cloud, it’s as simple as one-click to enable it on your relevant subscription in Azure. The integration is agentless and requires zero intervention in the application dev lifecycle. More importantly, the native integration directly inside Azure AI pipeline does not entail scale or performance degradation in the application runtime. Consuming the detections is easy, it appears in Defender for Cloud’s portal, but is also seamlessly connected to Defender XDR and Sentinel, leveraging the existing connectors. SOC analysts can leverage the correlation and analysis capabilities of Defender XDR from day one. Explore these capabilities today with a free 30-day trial*. You can leverage your existing AI application and simply enable the “AI workloads” plan on your chosen subscription to start detecting and responding to AI threats. *Trial free period is limited to up to 75B tokens scanned. Learn more about the innovations designed to help your organization protect data, defend against cyber threats, and stay compliant. Join Microsoft leaders online at Microsoft Secure on April 9. Explore additional resources Learn more about Runtime protection Learn more about Posture capabilities Watch the Defender for Cloud in the Field episode on securing AI applications Get started with Defender for CloudRSAC 2025 new Microsoft Sentinel connectors announcement
Microsoft Sentinel is a leading cloud-native security information and event management (SIEM) solution that helps organizations confidently detect, investigate and respond to threats across their multi-cloud, multiplatform environments. Microsoft Sentinel offers seamless integration of data from both Microsoft and third-party sources for a comprehensive view across the entire digital environment. We are very pleased to share the latest Microsoft Sentinel integrations from our valued Independent Software Vendor (ISV) partners that allow you to seamlessly connect your existing security solutions with Microsoft Sentinel and benefit from robust analytics and automation capabilities to strengthen your defenses against evolving cyber threats. Featured ISVs Google Threat Intelligence for Microsoft Sentinel The Google Threat Intelligence Solution for Microsoft Sentinel integrates Google's extensive threat intelligence with Microsoft Sentinel to enrich security investigations. This solution automates the process of gathering intelligence on indicators like IPs, file hashes, and URLs, providing valuable context and improving the accuracy and efficiency of incident response. Infoblox App for Microsoft Sentinel The Infoblox App for Microsoft Sentinel enhances Security Operations Centers (SOC) by integrating actionable intelligence and contextual network data derived from DNS data into Microsoft Sentinel. This integration provides SOC analysts with tools to quickly identify and respond to potential threats such as malware and data exfiltration, improving overall security posture. This integration offers seamless configuration, intuitive dashboards, and unique DNS-based threat intelligence to streamline threat detection and response. Netskope Data Connector for Microsoft Sentinel Built on the CCP, this connector seamlessly streams CASB alerts, DLP incidents, and threat logs into Microsoft Sentinel, delivering real-time visibility and actionable insights. With a one-click setup and automated data flow, the integration simplifies incident management. This empowers security teams to focus on rapid incident response and proactive policy enforcement, boosting both security posture and operational efficiency. New and notable Dragos Platform for Microsoft Sentinel Integration The Dragos Platform integration with Microsoft Sentinel streamlines IT/OT security by providing visibility into OT assets, threats, and vulnerabilities for industrial environments. This integration enables customers to seamlessly incorporate OT-specific threat detection into their existing IT security workflows, creating a unified approach to managing alerts. Jamf Protect for Microsoft Sentinel The Jamf Protect for Microsoft Sentinel solution provides comprehensive Apple Endpoint Security insights by integrating detailed event data from macOS endpoints into a Microsoft Sentinel workspace. This integration offers full visibility into security events through Workbooks, Analytic Rules, and Unified Logging events captured by Jamf Protect. Additionally, it includes tools such as Hunting Queries, Playbooks, and a Data Connector to enhance incident investigation and automated actions. Trigger Torq Workflows from Microsoft Sentinel Incidents The Torq Sentinel Solution triggers Torq workflows directly from Microsoft Sentinel incidents, simplifying the setup process and streamlining the deployment of Hyperautomated Microsoft Sentinel workflows. When new incidents are created or existing incidents are updated in Microsoft Sentinel, Torq leverages Hyperautomation and agentic AI to help eliminate false positives, create and prioritize comprehensive security cases, and help autonomously remediate incidents to enhance SOC teams’ efficiency. ZeroFox Alerts & CTI Connectors for Microsoft Sentinel The ZeroFox Alerts & CTI Connectors for Microsoft Sentinel allows you to ingest ZeroFox alert data into Microsoft Sentinel. This integration leverages a global data collection engine, AI-based analysis, and automated remediation to help protect your digital assets and data from threats at the scale and speed of the internet. It enables organizations to visualize and analyze these threats directly from Microsoft Sentinel, improving security posture through correlation with other internal IT and security data sources. Solutions now available for Microsoft Sentinel Microsoft Sentinel now offers a range of solutions. Alongside commercially supported integrations, the Microsoft Sentinel content hub connects you to hundreds of community-based solutions and thousands of practitioner contributions. You can find more details and setup instructions for these integrations via the content hub in Microsoft Sentinel. Microsoft’s Sentinel Promise to customers For customers migrating to Sentinel, Microsoft offers the Sentinel Promise program backed by App Assure. This initiative ensures ISVs receive the support they need to build high-quality connectors. Read our recent announcement to learn how our Sentinel Promise helps promote seamless integration of your essential data sources. Message to our partners We deeply appreciate the unwavering collaboration and valuable contributions of our partners. Your steadfast partnership has been crucial in delivering the most comprehensive, timely insights and security value to our mutual customers. We are grateful to be working together to enhance the security landscape. Security is indeed a team effort, and your dedication and innovation are instrumental in our collective success. We aim for these new partner solutions to provide significant value and welcome your feedback and suggestions. We continually work on enhancing Microsoft Sentinel and expanding its partner ecosystem. Please stay informed of further updates and announcements. Learn more Microsoft’s commitment to security Microsoft’s Secure Future Initiative Unified SecOps | SIEM and XDR solutions Unified Platform documentation | Microsoft Defender XDR What else is new with Microsoft Sentinel? Microsoft Sentinel product home Microsoft Sentinel content hub catalog Microsoft's Sentinel Promise What’s new with Microsoft Sentinel at Secure 2025 Exciting new Microsoft Sentinel connectors announcement at Ignite 2024 Additional resources Best practices for partners integrating with Microsoft Sentinel What's New: Create your own codeless data connector Latest Microsoft Tech Community Sentinel blog announcements Microsoft Sentinel pricing Microsoft Sentinel customer stories Microsoft Sentinel documentationApp Assure’s promise: Migrate to Sentinel with confidence
In today's evolving cyber-threat landscape, enterprises need the most up-to-date tools for detection, investigation, and response. Cloud-native, AI-driven solutions like Microsoft's Sentinel provide businesses with faster implementation, greater integration and automation capabilities, and intelligent event correlation. But when moving from on-prem to the cloud, or from one SIEM to another, migrating can seem risky and complex for Security Operations Centers (SOCs) that have spent years investing in customized solutions. One challenge businesses face is how to port over third-party connectors, especially ones processing large data volumes, which can reach terabytes per day. For customers with such needs, Microsoft has built the Codeless Connector Platform (CCP) in Microsoft Sentinel. Microsoft Sentinel’s Codeless Connector Platform reduces friction for enterprises migrating to the cloud For enterprises ready to modernize their security operations, Microsoft recommends leveraging integrations built on CCP. These integrations are built to handle large data workloads and provide a number of powerful benefits: CCP connectors are a scalable and reliable SaaS offering, capable of handling high-volume data ingestion effortlessly. Its Data Collection Rules (DCRs) enable log filtering and transformation at ingestion, reducing data volume and lowering costs. CCP also streamlines installation and deployment. What formerly took hundreds of lines of code to configure, now takes a few simple mouse clicks. CCP communication is conducted privately between Microsoft services without being exposed to the public internet, thus aligning with Microsoft's security best practices to provide a secure and robust integration environment. What makes CCP an even more compelling and powerful tool is that our App Assure team stands behind the platform to uphold Microsoft’s Sentinel compatibility promise. Microsoft’s Sentinel promise How App Assure delivers on this promise Backed by Microsoft engineering, App Assure is here to help. If a Microsoft Sentinel ISV solution is not yet available or you have an issue with a solution already published by an ISV, App Assure may be able to assist with the following customer scenarios: Working with ISVs to develop new CCP solutions. Working with ISVs to add new features to existing CCP solutions. For supported scenarios, an App Assure Manager will be assigned to guide you through the process, ensuring you can leverage the full power of Sentinel. For customer scenarios that are not supported, App Assure will help you identify available resources. To engage App Assure and learn more about what we support, submit a request for assistance. Partner Testimonials App Assure has already been working with many ISVs on behalf of our customers to fulfil Microsoft’s Sentinel promise. Two recent engagements where we facilitated the integration of tools that our customers rely on include: 1Password NetskopeHow to use KQL to associate alerts with incidents?
There is no method I'm aware of to use KQL to query from an alertID to an incident or vice versa. Please provide kql examples for querying between XDR incidents and alerts. These queries should be independent of the SecurityIncident table which is only available when Sentinel is connected to XDR. Thank you.
Sentinel incident playbook - get alert entities
Hi! My main task is to get all alerts (alerts, not incidents) from sentinel (analytics rules and Defender XDR) to external case management. For different reasons we need to do this on alert level. Alert trigger by design works perfectly, but this does not trigger on Defender alerts on Sentinel, only analytic rules. When using Sentinel incident trigger, then i'm not able to extract entities related to alerts, only incident releated entities. Final output is sent with HTTP post to our external system using logic app. Any ideas how to get in logic app all alerts with their entities?
Microsoft Defender for cloud and XDR integration
🚨 Need Help! 🚨 I’m currently facing a challenge with Microsoft Defender for Cloud. I’ve created sample alerts, but when I check in Microsoft Defender XDR, the alerts aren’t showing up. 😕 I’ve already checked all possible configurations, permissions, and integration settings but haven’t been able to pinpoint the cause. Has anyone experienced something similar? Any suggestions on additional things to check or troubleshooting steps that might help resolve this? I was following a Udemy instructor’s video tutorial from 2024, where it worked fine for him, but unfortunately, it didn’t work for me.
