Adversaries may attempt to evade detection by compromising or disabling AV scans in Azure App Services. SOC teams should proactively hunt for this behavior to identify potential malware persistence or exfiltration attempts that could bypass traditional security controls.
KQL Query
let timeframe = ago(1d);
AppServiceAntivirusScanAuditLogs
| where ScanStatus == "Failed"
| extend timestamp = TimeGenerated
id: c2da1106-bfe4-4a63-bf14-5ab73130ccd5
name: AppServices AV Scan Failure
description: |
'Identifies if an AV scan fails in Azure App Services.'
severity: Informational
requiredDataConnectors: []
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 1
query: |
let timeframe = ago(1d);
AppServiceAntivirusScanAuditLogs
| where ScanStatus == "Failed"
| extend timestamp = TimeGenerated
entityMappings:
- entityType: Host
fieldMappings:
- identifier: AzureID
columnName: _ResourceId
version: 1.0.3
kind: Scheduled
metadata:
source:
kind: Community
author:
name: SecurityJedi
support:
tier: Community
categories:
domains: [ "Security - Others", "Platform" ]| Sentinel Table | Notes |
|---|---|
AuditLogs | Ensure this data connector is enabled |
Scenario: Scheduled AV scan via Azure Security Center
Filter/Exclusion: AzureSecurityCenter or SecurityCenter in the source or process name
Scenario: Manual AV scan initiated by an admin using Azure CLI
Filter/Exclusion: azure-cli or az in the command line or process name
Scenario: Integration with third-party AV tools during deployment (e.g., Microsoft Defender for Cloud)
Filter/Exclusion: MicrosoftDefenderForCloud or DefenderForCloud in the process or service name
Scenario: Automated health check or diagnostic job run by Azure App Service
Filter/Exclusion: AppServiceHealthCheck or AppServiceDiagnostic in the job name or process
Scenario: False positive from a misconfigured or outdated AV integration in the environment
Filter/Exclusion: OutdatedAVIntegration or LegacyAVTool in the system or process name