Azure Defender for App Service in Azure Security Center

During Microsoft Ignite in November 2021, Azure Security Center and Azure Defender are now called Microsoft Defender for Cloud. They’ve also renamed Azure Defender plans to Microsoft Defender plans. For example, Azure Defender for Storage is now Microsoft Defender for Storage.

Azure App Service is a fully managed platform for building and hosting your web apps and APIs without worrying about having to manage the underlying infrastructure. It provides management, monitoring, and operational insights to meet enterprise-grade performance, security, and compliance requirements.

This article will share with you how to protect your Azure App Service web apps and APIs, Azure Defender (advanced threat protection) for App Service, providing an extra layer of security intelligence.

Introduction

Azure Security Center gives you complete visibility and control over the security of hybrid cloud workloads, including compute, network, storage, identity, and application workloads. Azure Security Center (ASC) has two main value propositions:

1) Cloud Security Posture Management (CSPM) – Help you prevent misconfiguration to strengthen your security posture for all different types of cloud workloads and resources in Azure (IaaS, PaaS, and SaaS). CSPM in Security Center is available for free to all Azure users.

2) Cloud Workload Protection Platform (CWPP) – Protect against threats for servers whether they are running in Azure, on-premises, or different clouds such as Amazon AWS or Google GCP, in addition to cloud-native workloads such as Web Apps, Kubernetes, Key Vaults, as well as for SQL databases (PaaS/VM) and storage accounts. CWPP is part of the Azure Defender (formerly known as the Standard Tier plan in Azure Security Center).

Azure Defender is an evolution of the threat-protection technologies in Security Center, protecting Azure and hybrid environments. When you enable Azure Defender from the Pricing and settings area of Azure Security Center, the following Defender plans are all enabled simultaneously and provide comprehensive defenses for the compute, data, and service layers of your environment:

• Azure Defender for Servers
• Azure Defender for App Service
• Azure Defender for Storage
• Azure Defender for SQL
• Azure Defender for Kubernetes
• Azure Defender for container registries
• Azure Defender for Key Vault
• Azure Defender for Azure DNS
• Azure Defender for Resource Manager

Azure Defender for App Service uses the scale of the cloud to identify attacks targeting applications running over App Service. Attackers probe web applications to find and exploit weaknesses. Before being routed to specific environments, requests to applications running in Azure go through several gateways, where they’re inspected and logged. This data is then used to identify exploits and attackers and learn new patterns that will be used later.

Azure Security Center is natively integrated with App Service, eliminating the need for deployment and on-boarding, so the integration is transparent.

Prerequisites

To follow this article, you need to have the following:

1) Azure subscription – If you don’t have an Azure subscription, you can create a free one here.

2) Azure Security Center with Azure Defender enabled. Azure Defender for App Service is enabled per subscription under the Pricing & Settings page as shown in the figure below. At the time of this writing, the only option to enable Azure Defender for App Service is to enable it on the entire subscription. We hope Microsoft will provide in the future a new way to enable Azure Defender at the App Service plan level instead of the entire subscription similar to Azure Defender for Storage accounts and SQL. Please note there is no additional cost during the 30 days trial period. After that, the price is $15 for each instance per month. The billing is according to the total compute instances in all plans.

3) You need to have an App Service deployed with a supported App Service plan associated with dedicated compute and isolated tiers. The shared tier is not supported. Please note that all App Service plans are supported except Azure Functions on the consumption plan. Please refer to the official App Service pricing page – To create an App Service Plan, you can follow the instructions described here.

Simulate an App Service alert

To validate and simulate an alert for Azure App Service, you can take the following steps:

First, you need to have a Security admin role or you are a Subscription contributor. So as a user with this role, you can navigate to the Azure Security Center toolbar on the Security alerts page, then select Sample alerts as shown in the figure below.

Next, select your desired Azure subscription, and then select the relevant Azure Defender plan(s) for which you want to see alerts. At the time of this writing, you can create a sample alert for Azure Key Vaults, Azure Kubernetes Services, Azure SQL Databases, Storage Accounts, and virtual machines. In this example, I will select the App Services plan as shown in the figure below. Finally, click Create sample alerts.

At this point, you just need to wait for the advanced threat detection engine to kick in (which can take a little while, in my example, it took around 5 minutes to generate an alert).

Azure Defender for App Service alerts

Once the simulation takes place, you will see 4 new alerts with ‘High and Medium Severity‘ and one of them is classified as ‘Collection‘ based on MITRE ATT&CK® tactics will be generated in Security Center | Security alerts dashboard, similar to the one shown below:

If you’ve already integrated Azure Security Center with Azure Monitor, you will also receive a notification based on the specified action group. In my example, I am using email notifications. You can find more details on how to integrate Azure Security Center with Azure Monitor here.

If you’ve connected Azure Security Center to Azure Sentinel which I highly recommend as described in this article, then you can see the same alerts with all relevant data needed for investigation and response as shown in the figure below:

And if you are leveraging the Workflow automation feature in Azure Security Center with LogicApp to post a message on Microsoft Teams for example, then you will receive an alert in your Team channel, similar to the one below:

1. An attempt to run Linux commands on a Windows App Service: (AppServices_LinuxCommandOnWindows)
2. An IP that connected to your Azure App Service FTP Interface was found in Threat Intelligence: (AppServices_IncomingTiClientIpFtp)
3. Attempt to run high privilege command detected: (AppServices_HighPrivilegeCommand)
4. Azure Security Center test alert for App Service, not a threat: (AppServices_EICAR)
5. Connection to the web page from anomalous IP address detected: (AppServices_AnomalousPageAccess)
6. Dangling DNS record for an App Service resource detected: (AppServices_DanglingDomain)
7. Detected encoded executable in command-line data: (AppServices_Base64EncodedExecutableInCommandLineParams)
8. Detected file download from a known malicious source: (AppServices_SuspectDownload)
9. Digital currency mining-related behavior detected: (AppServices_DigitalCurrencyMining)
10. Executable decoded using certutil: (AppServices_ExecutableDecodedUsingCertutil)
11. Fileless Attack Behavior Detected: (AppServices_FilelessAttackBehaviorDetection)
12. Fileless Attack Technique Detected: (AppServices_FilelessAttackTechniqueDetection)
13. Fileless Attack Toolkit Detected: (AppServices_FilelessAttackToolkitDetection)
14. NMap scanning detected: (AppServices_Nmap)
15. Phishing content hosted on Azure Webapps: (AppServices_PhishingContent)
16. PHP file in upload folder: (AppServices_PhpInUploadFolder)
17. Possible Cryptocoinminer download detected: (AppServices_CryptoCoinMinerDownload)
18. Potential dangling DNS record for an App Service resource detected: (AppServices_PotentialDanglingDomain)
19. Potential reverse shell detected: (AppServices_ReverseShell)
20. Raw data download detected: (AppServices_DownloadCodeFromWebsite)
21. Saving curl output to disk detected: (AppServices_CurlToDisk)
22. Spam folder referrer detected: (AppServices_SpamReferrer)
23. Suspicious access to possibly vulnerable web page detected: (AppServices_ScanSensitivePage)
24. Suspicious domain name reference: (AppServices_CommandlineSuspectDomain)
25. Suspicious download using Certutil detected: (AppServices_DownloadUsingCertutil)
26. Suspicious PHP execution detected: (AppServices_SuspectPhp)
27. Suspicious PowerShell cmdlets executed: (AppServices_PowerShellPowerSploitScriptExecution)
28. Suspicious process executed: (AppServices_KnownCredential AccessTools)
29. Suspicious process name detected: (AppServices_ProcessWithKnownSuspiciousExtension)
30. Suspicious SVCHOST process executed: (AppServices_SVCHostFromInvalidPath)
31. Suspicious User-Agent detected: (AppServices_UserAgentInjection)
32. Suspicious WordPress theme invocation detected: (AppServices_WpThemeInjection)
33. Vulnerability scanner detected: (AppServices_DrupalScanner)
34. Vulnerability scanner detected: (AppServices_JoomlaScanner)
35. Vulnerability scanner detected: (AppServices_WpScanner)
36. Web fingerprinting detected: (AppServices_WebFingerprinting)
37. Website is tagged as malicious in threat intelligence feed: (AppServices_SmartScreen)

Please check the details of all alerts mentioned above on the official Security Center alerts guide.

How Azure Defender for App Service works

With the App Service Plan enabled, Azure Security Center assesses the resources covered by your App Service plan and generates security recommendations based on its findings. Security Center protects the VM instance in which your App Service is running and the management interface. It also monitors requests and responses sent to and from your applications running in App Service.

If you’re running a Windows-based App Service plan, Azure Security Center also has access to the underlying sandboxes and VMs. Together with the log data gathered, the infrastructure can state what’s happening, from a new attack circulating in the wild to compromises in your environment. Therefore, even if Security Center is deployed after a web app has been exploited, it might be able to detect ongoing attacks.

Azure Defender monitors and detects many threats on your App Service resources. The alerts cover almost the complete list of MITRE ATT&CK tactics from pre-attack to command and control. Azure Defender for App Service can detect:

• Pre-attack threats – Azure Defender can detect the execution of multiple types of vulnerability scanners that attackers frequently use to probe applications for weaknesses.
• Initial access threats – Microsoft Threat Intelligence powers these alerts that include triggering an alert when a known malicious IP address connects to your Azure App Service FTP interface.
• Execution threats – Azure Defender can detect attempts to run high privilege commands, Linux commands on a Windows App Service, fileless attack behavior, digital currency mining tools, and many other suspicious and malicious code execution activities.

Summary

This article showed you how to protect and use Azure Defender (advanced threat protection) for App Service in Azure Security Center.

Security Center analyzes App Service internal logs to identify attack methodology on multiple targets. For example, the methodology includes widespread scanning and distributed attacks. This type of attack typically comes from a small subset of IPs and shows patterns of crawling to similar endpoints on multiple hosts. The attacks are searching for a vulnerable page or plugin and can’t be identified from the standpoint of a single host.

Additional resources I highly encourage you to check:

• Workflow automation in Azure Security Center to automate your security operations.
• Learn more about how to integrate Azure Security Center with Azure Monitor Alerts.
• Learn more about how to integrate Azure Security Center with Azure Sentinel cloud-native (SIEM).
• Learn more about Azure Security Center, check the official documentation from Microsoft.

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-