You dont have javascript enabled! Please enable it!

Azure Defender for App Service in Azure Security Center

6 Min. Read

During Microsoft Ignite in November 2021, Azure Security Center and Azure Defender are now called Microsoft Defender for Cloud. They’ve also renamed Azure Defender plans to Microsoft Defender plans. For example, Azure Defender for Storage is now Microsoft Defender for Storage.

Azure App Service is a fully managed platform for building and hosting your web apps and APIs without worrying about having to manage the underlying infrastructure. It provides management, monitoring, and operational insights to meet enterprise-grade performance, security, and compliance requirements.

This article will share with you how to protect your Azure App Service web apps and APIs, Azure Defender (advanced threat protection) for App Service, providing an extra layer of security intelligence.


Azure Security Center gives you complete visibility and control over the security of hybrid cloud workloads, including compute, network, storage, identity, and application workloads. Azure Security Center (ASC) has two main value propositions:

1) Cloud Security Posture Management (CSPM) – Help you prevent misconfiguration to strengthen your security posture for all different types of cloud workloads and resources in Azure (IaaS, PaaS, and SaaS). CSPM in Security Center is available for free to all Azure users.

2) Cloud Workload Protection Platform (CWPP) – Protect against threats for servers whether they are running in Azure, on-premises, or different clouds such as Amazon AWS or Google GCP, in addition to cloud-native workloads such as Web Apps, Kubernetes, Key Vaults, as well as for SQL databases (PaaS/VM) and storage accounts. CWPP is part of the Azure Defender (formerly known as the Standard Tier plan in Azure Security Center).

Azure Defender is an evolution of the threat-protection technologies in Security Center, protecting Azure and hybrid environments. When you enable Azure Defender from the Pricing and settings area of Azure Security Center, the following Defender plans are all enabled simultaneously and provide comprehensive defenses for the compute, data, and service layers of your environment:

Azure Defender for App Service uses the scale of the cloud to identify attacks targeting applications running over App Service. Attackers probe web applications to find and exploit weaknesses. Before being routed to specific environments, requests to applications running in Azure go through several gateways, where they’re inspected and logged. This data is then used to identify exploits and attackers and learn new patterns that will be used later.

Azure Security Center is natively integrated with App Service, eliminating the need for deployment and on-boarding, so the integration is transparent.


To follow this article, you need to have the following:

1) Azure subscription – If you don’t have an Azure subscription, you can create a free one here.

2) Azure Security Center with Azure Defender enabled. Azure Defender for App Service is enabled per subscription under the Pricing & Settings page as shown in the figure below. At the time of this writing, the only option to enable Azure Defender for App Service is to enable it on the entire subscription. We hope Microsoft will provide in the future a new way to enable Azure Defender at the App Service plan level instead of the entire subscription similar to Azure Defender for Storage accounts and SQL. Please note there is no additional cost during the 30 days trial period. After that, the price is $15 for each instance per month. The billing is according to the total compute instances in all plans.

Enable Azure Defender for App Service Plan
Enable Azure Defender for App Service in Security Center

3) You need to have an App Service deployed with a supported App Service plan associated with dedicated compute and isolated tiers. The shared tier is not supported. Please note that all App Service plans are supported except Azure Functions on the consumption plan. Please refer to the official App Service pricing page – To create an App Service Plan, you can follow the instructions described here.

Simulate an App Service alert

To validate and simulate an alert for Azure App Service, you can take the following steps:

First, you need to have a Security admin role or you are a Subscription contributor. So as a user with this role, you can navigate to the Azure Security Center toolbar on the Security alerts page, then select Sample alerts as shown in the figure below.

Azure Security Center Sample alerts
Azure Security Center – Create Sample alerts

Next, select your desired Azure subscription, and then select the relevant Azure Defender plan(s) for which you want to see alerts. At the time of this writing, you can create a sample alert for Azure Key Vaults, Azure Kubernetes Services, Azure SQL Databases, Storage Accounts, and virtual machines. In this example, I will select the App Services plan as shown in the figure below. Finally, click Create sample alerts.

Create sample alerts (Preview)
Azure Security Center – Create Sample App Service alerts

At this point, you just need to wait for the advanced threat detection engine to kick in (which can take a little while, in my example, it took around 5 minutes to generate an alert).

Azure Defender for App Service alerts

Once the simulation takes place, you will see 4 new alerts with ‘High and Medium Severity‘ and one of them is classified as ‘Collection‘ based on MITRE ATT&CK® tactics will be generated in Security Center | Security alerts dashboard, similar to the one shown below:

Azure Security Center Alerts Page - Sample App Service alert
Azure Security Center Alerts Page

If you’ve already integrated Azure Security Center with Azure Monitor, you will also receive a notification based on the specified action group. In my example, I am using email notifications. You can find more details on how to integrate Azure Security Center with Azure Monitor here.

Alert Notification "Security Center - Security Alert Rule" raised
Azure Monitor – Email Alert Notification

If you’ve connected Azure Security Center to Azure Sentinel which I highly recommend as described in this article, then you can see the same alerts with all relevant data needed for investigation and response as shown in the figure below:

Azure Sentinel - Azure Defender sample for App Service
Azure Sentinel – Azure Defender sample for App Service

And if you are leveraging the Workflow automation feature in Azure Security Center with LogicApp to post a message on Microsoft Teams for example, then you will receive an alert in your Team channel, similar to the one below:

ASC New Alert: High - [SAMPLE ALERT] Dangling DNS record for an App Service resource detected
App Service Dangling DNS – Microsoft Team Channel New Alert
At the time of this writing, Azure Defender for App Service provides you 37 detection capabilities that are machine learning-based:

  1. An attempt to run Linux commands on a Windows App Service: (AppServices_LinuxCommandOnWindows)
  2. An IP that connected to your Azure App Service FTP Interface was found in Threat Intelligence: (AppServices_IncomingTiClientIpFtp)
  3. Attempt to run high privilege command detected: (AppServices_HighPrivilegeCommand)
  4. Azure Security Center test alert for App Service, not a threat: (AppServices_EICAR)
  5. Connection to the web page from anomalous IP address detected: (AppServices_AnomalousPageAccess)
  6. Dangling DNS record for an App Service resource detected: (AppServices_DanglingDomain)
  7. Detected encoded executable in command-line data: (AppServices_Base64EncodedExecutableInCommandLineParams)
  8. Detected file download from a known malicious source: (AppServices_SuspectDownload)
  9. Digital currency mining-related behavior detected: (AppServices_DigitalCurrencyMining)
  10. Executable decoded using certutil: (AppServices_ExecutableDecodedUsingCertutil)
  11. Fileless Attack Behavior Detected: (AppServices_FilelessAttackBehaviorDetection)
  12. Fileless Attack Technique Detected: (AppServices_FilelessAttackTechniqueDetection)
  13. Fileless Attack Toolkit Detected: (AppServices_FilelessAttackToolkitDetection)
  14. NMap scanning detected: (AppServices_Nmap)
  15. Phishing content hosted on Azure Webapps: (AppServices_PhishingContent)
  16. PHP file in upload folder: (AppServices_PhpInUploadFolder)
  17. Possible Cryptocoinminer download detected: (AppServices_CryptoCoinMinerDownload)
  18. Potential dangling DNS record for an App Service resource detected: (AppServices_PotentialDanglingDomain)
  19. Potential reverse shell detected: (AppServices_ReverseShell)
  20. Raw data download detected: (AppServices_DownloadCodeFromWebsite)
  21. Saving curl output to disk detected: (AppServices_CurlToDisk)
  22. Spam folder referrer detected: (AppServices_SpamReferrer)
  23. Suspicious access to possibly vulnerable web page detected: (AppServices_ScanSensitivePage)
  24. Suspicious domain name reference: (AppServices_CommandlineSuspectDomain)
  25. Suspicious download using Certutil detected: (AppServices_DownloadUsingCertutil)
  26. Suspicious PHP execution detected: (AppServices_SuspectPhp)
  27. Suspicious PowerShell cmdlets executed: (AppServices_PowerShellPowerSploitScriptExecution)
  28. Suspicious process executed: (AppServices_KnownCredential AccessTools)
  29. Suspicious process name detected: (AppServices_ProcessWithKnownSuspiciousExtension)
  30. Suspicious SVCHOST process executed: (AppServices_SVCHostFromInvalidPath)
  31. Suspicious User-Agent detected: (AppServices_UserAgentInjection)
  32. Suspicious WordPress theme invocation detected: (AppServices_WpThemeInjection)
  33. Vulnerability scanner detected: (AppServices_DrupalScanner)
  34. Vulnerability scanner detected: (AppServices_JoomlaScanner)
  35. Vulnerability scanner detected: (AppServices_WpScanner)
  36. Web fingerprinting detected: (AppServices_WebFingerprinting)
  37. Website is tagged as malicious in threat intelligence feed: (AppServices_SmartScreen)

Please check the details of all alerts mentioned above on the official Security Center alerts guide.

How Azure Defender for App Service works

With the App Service Plan enabled, Azure Security Center assesses the resources covered by your App Service plan and generates security recommendations based on its findings. Security Center protects the VM instance in which your App Service is running and the management interface. It also monitors requests and responses sent to and from your applications running in App Service.

If you’re running a Windows-based App Service plan, Azure Security Center also has access to the underlying sandboxes and VMs. Together with the log data gathered, the infrastructure can state what’s happening, from a new attack circulating in the wild to compromises in your environment. Therefore, even if Security Center is deployed after a web app has been exploited, it might be able to detect ongoing attacks.

Azure Defender monitors and detects many threats on your App Service resources. The alerts cover almost the complete list of MITRE ATT&CK tactics from pre-attack to command and control. Azure Defender for App Service can detect:

  • Pre-attack threats – Azure Defender can detect the execution of multiple types of vulnerability scanners that attackers frequently use to probe applications for weaknesses.
  • Initial access threatsMicrosoft Threat Intelligence powers these alerts that include triggering an alert when a known malicious IP address connects to your Azure App Service FTP interface.
  • Execution threats – Azure Defender can detect attempts to run high privilege commands, Linux commands on a Windows App Service, fileless attack behavior, digital currency mining tools, and many other suspicious and malicious code execution activities.


This article showed you how to protect and use Azure Defender (advanced threat protection) for App Service in Azure Security Center.

Security Center analyzes App Service internal logs to identify attack methodology on multiple targets. For example, the methodology includes widespread scanning and distributed attacks. This type of attack typically comes from a small subset of IPs and shows patterns of crawling to similar endpoints on multiple hosts. The attacks are searching for a vulnerable page or plugin and can’t be identified from the standpoint of a single host.

Additional resources I highly encourage you to check:

Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Photo of author
About the Author
Charbel Nemnom
Charbel Nemnom is a Senior Cloud Architect, Swiss Certified ICT Security Expert, Certified Cloud Security Professional (CCSP), Certified Information Security Manager (CISM), Microsoft Most Valuable Professional (MVP), and Microsoft Certified Trainer (MCT). He has over 20 years of broad IT experience serving on and guiding technical teams to optimize the performance of mission-critical enterprise systems with extensive practical knowledge of complex systems build, network design, business continuity, and cloud security.

Related Posts


Azure Defender for Key Vault in Azure Security Center

(Solution) VM Agent is unable to communicate with the Azure Backup Service for Linux VMs


Let me know what you think, or ask a question...

error: Alert: The content of this website is copyrighted from being plagiarized! You can copy from the \'Code Blocks\' in \'Black\' by selecting the Code. Thank You!