This rule detects if there are no logs in the last 12 hours for Azure Function in the customer account. Note- This alert should configured with relevant app & subsystem. Impact Disabling logging is a tactic that adversaries might employ as part of various MITRE ATT&CK techniques to avoid detection, cover their tracks, or impede incident response investigations. Mitigation Address logging concerns to ensure comprehensive monitoring within the Coralogix SIEM system. MITRE Tactic: TA0005 MITRE Technique:T1562

This alert triggers when the version-specific settings of a Azure function are modified. Impact Modifying version-specific settings may result in compatibility issues with the code deployed in that specific version. Changes to environment variables, execution role permissions, or other settings can cause unexpected behavior if they're not aligned with the deployed code. Mitigation Validate if the user was authorized to perform the update action and if the action was legitimate. If not, revert the action and investigate further. MITRE Tactic: TA0042 MITRE Technique: T1584 MITRE Sub-Technique: 007

This alert triggers when an IAM user modifies an Azure function. Impact An attacker might modify a Azure function in order to maintain persistence or exfiltrate data being processed at runtime within an Azure environment. Mitigation Validate if the IAM user was authorized to perform the modification and if the action was legitimate. If not, revert the action and investigate further. MITRE Tactic: TA0042 MITRE Technique: T1584 MITRE Sub-Technique: 007

This alert triggers when a Azure function is deleted. To delete a specific function version, use the Qualifier parameter. Otherwise, all versions and aliases are deleted. Impact Deleting a Azure function will immediately stop any ongoing executions and prevent any further invocations. It's important to ensure that there are no critical processes or dependencies relying on the function at the time of deletion. Mitigation Check if the action was legitimate. if not, investigate further for any malicious activities. Additionally, before deleting a Azure function, make sure to communicate with relevant stakeholders and check if there are any active processes that might be affected. You can also consider setting up alarms or notifications to alert you before deleting any important functions. MITRE Tactic: TA0040 MITRE Technique: T1485

This alert triggers if new Azure Functions have been created which can be used to perform actions. Impact If a threat actor gains unauthorized access to your Azure account, they may create new Lambda functions for malicious purposes, such as running unauthorized code or executing denial-of-service (DoS) attacks. Mitigation Check if the action was legitimate and if the created function is not malicious. If not, investigate further. MITRE Tactic: TA0042 MITRE Technique: T1584 MITRE Sub-Technique: 007

This alert triggers when an Azure function resource-based policy is modified by an IAM user. Impact An attacker might modify an Azure function's resource-based policy in order to maintain persistence or allow its invocation from an external account. Mitigation Validate if the IAM user was authorized to perform the modification and if the action was legitimate. If not, revert the action and investigate further. MITRE Tactic: TA0042 MITRE Technique: T1584 MITRE Sub-Technique: 007