What Changed
Authentication requirement changed from “anonymous” to “function” across HTTP triggers in 6 data connector solutions and 2 playbook function apps. ZIP templates updated for Zoom and Cofense connectors to include the hardened configuration.
Security Impact (Visibility & Fidelity)
Deployments with anonymous authLevel exposed HTTP-triggered functions to unauthenticated internet traffic—any external caller could invoke these endpoints without credentials. This created a direct attack surface for:
- Data exfiltration via forced connector queries
- Resource exhaustion through function abuse
- Potential lateral movement if functions access internal APIs
Post-fix: all affected functions require a function key (?code=key) to authenticate HTTP requests, eliminating the anonymous access vector.
Affected Solutions
- Zoom Data Connector: ZoomLogs function
- Zscaler Remediation Playbook: Authentication function
- FortiGate Playbooks: Function App webhooks (2 solutions)
- Cofense Intelligence: DownloadThreatReports function
- Illumio: OnPremHealthFunctionApp health check
- Infoblox: InfobloxDossierHttpStarter function
Affected Files
DataConnectors/Zoom/ZoomLogs/function.json
MasterPlaybooks/Remediation-URL/Zscaler-Remediation-URL/Authentication/azuredeploy.json
Playbooks/Fortinet-FortiGate/FunctionApp/azuredeploy.json
Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/DownloadThreatReports/function.json
Solutions/Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel/Playbooks/FortinetFortigateFunctionApp/azuredeploy.json
Solutions/IllumioSaaS/Data Connectors/OnPremHealthFunctionApp/function.json
Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxDossierHttpStarter/function.json
(packaging artefacts: CofenseIntelligenceDataConnector.zip, zoom_logs_template.zip, zoom_logs_templateV2.zip)