Azure Logic App Token
Service Name: Microsoft Azure Logic Apps
Service Description: Azure Logic Apps is a cloud service that helps you schedule, automate, and orchestrate tasks, business processes, and workflows when you need to integrate apps, data, systems, and services across enterprises or organizations.
Service Address: https://azure.microsoft.com/en-us/services/logic-apps/
Validation Type: API Auth
IP Allow list: IP restrictions can be configured at the Logic App level using Azure networking features and access control policies.
Secret Access Scope: Grants access to trigger or manage specific Logic App workflows and their connected services.
Secret Revokement URL: https://portal.azure.com/ (Navigate to the specific Logic App > Access control > Shared Access Signatures)
Secret Example: SharedAccessSignature sr=https%3A%2F%2Flogicapp.azure.com%2Fworkflows%2F12345&sig=abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGH%3D&se=1672531199&sp=rwl
Suspicious Activity Investigation Instructions:
- Review Azure Activity Logs for unusual Logic App executions or modifications
- Check for unexpected workflow triggers or runs in the Logic App run history
- Monitor for unauthorized connections to external services or APIs
- Examine IP addresses that accessed the Logic App in Azure diagnostic logs
- Look for changes to Logic App workflow definitions or connections
Mitigation Instructions:
- Navigate to the Azure Portal and locate the affected Logic App
- Go to the Logic App's "Shared Access Signatures" section
- Revoke the compromised SAS token by regenerating new keys
- Update any legitimate applications using the old token with the new one
- Consider implementing more restrictive IP filtering for Logic App access
- Enable Azure Defender for additional security monitoring
- Review and minimize the permissions assigned to the Logic App's managed identity.
- Implement Azure RBAC (Role-Based Access Control) with the Principle of Least Privilege.