Review Web Application Root Cause and Exposure Window
Perform a web-app-specific post-incident review focused on the exploited weakness, the exposure window, and which telemetry would have shortened time-to-detect.
Actions
- 1
Reconstruct the full exploit path from reconnaissance through shell or code execution, including the first vulnerable request, post-exploitation access, and any lateral movement from the web tier.
- 2
Document the code, infrastructure, and deployment weaknesses that enabled exploitation: missing patches, insecure upload paths, weak secrets handling, or over-privileged service accounts.
- 3
Review WAF, load balancer, and web-server coverage to identify where visibility or blocking should have occurred but did not.
- 4
Define remediation tasks for application validation, deployment hardening, secret rotation, and web-shell detection coverage.
Queries
AzureDiagnostics | where TimeGenerated > ago(30d) | where ResourceType has "APPLICATIONGATEWAYS" or Category has "ApplicationGatewayFirewallLog" | summarize count() by RuleId, clientIP_s, requestUri_s
index=web earliest=-30d (uri_query="*../*" OR uri_query="*union select*" OR uri_query="*cmd*" OR uri_path="*.php" OR uri_path="*.aspx") | stats count by uri_path, clientip
Notes
A web-app post-incident review is incomplete if it ends at the web shell. The team needs the exploit chain and the exposure window.
Secret rotation should include deployment credentials, service principals, and any application secrets reachable from the compromised tier.