Unexpected Azure API calls indicating Web App configuration modification
Description
AlphaSOC detected modification of an Azure Web App configuration via
Microsoft.Web/sites/config/write or Microsoft.Web/sites/write. Adversaries
may modify Web App configurations to weaken security controls, disable
authentication, or enable less secure protocols. These changes can expose web
applications to unauthorized access or man-in-the-middle attacks.
Impact
Web App configuration changes can weaken application security controls. Attackers may disable HTTPS-only mode to intercept traffic, downgrade TLS settings to enable cryptographic attacks, or alter authentication and access controls to gain or maintain unauthorized access. Such misconfigurations can expose sensitive application data and user credentials.
Severity
| Severity | Condition |
|---|---|
Low | Web App configuration modified |
Medium | Anomalous Web App configuration change |
Investigation and Remediation
Review Azure Activity logs for Microsoft.Web/sites/config/write and
Microsoft.Web/sites/write events. Examine what configuration settings were
changed and compare against security baselines. Verify if changes were
authorized through change management processes.
If unauthorized, revert the Web App to its secure configuration. Review application logs for unauthorized access during the exposure window. Investigate the compromised identity for additional malicious activity.