Azure Automation Runbook Deleted
Identifies when an Azure Automation runbook is deleted. An adversary may delete an Azure Automation runbook in order to disrupt their target's automated business operations or to remove a malicious runbook for defense evasion.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/09/01"
3integration = ["azure"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies when an Azure Automation runbook is deleted. An adversary may delete an Azure Automation runbook in order to
11disrupt their target's automated business operations or to remove a malicious runbook for defense evasion.
12"""
13from = "now-25m"
14index = ["filebeat-*", "logs-azure*"]
15language = "kuery"
16license = "Elastic License v2"
17name = "Azure Automation Runbook Deleted"
18note = """## Setup
19
20The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
21references = [
22 "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor",
23 "https://github.com/hausec/PowerZure",
24 "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
25 "https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/",
26]
27risk_score = 21
28rule_id = "8ddab73b-3d15-4e5d-9413-47f05553c1d7"
29severity = "low"
30tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Configuration Audit", "Tactic: Defense Evasion"]
31timestamp_override = "event.ingested"
32type = "query"
33
34query = '''
35event.dataset:azure.activitylogs and
36 azure.activitylogs.operation_name:"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DELETE" and
37 event.outcome:(Success or success)
38'''
39
40
41[[rule.threat]]
42framework = "MITRE ATT&CK"
43
44[rule.threat.tactic]
45id = "TA0005"
46name = "Defense Evasion"
47reference = "https://attack.mitre.org/tactics/TA0005/"
Setup
The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
-
Operational Add-AzureADGroupMember Synopsis Adds a user to an Azure AD Group Syntax Add-AzureADGroupMember -User [UPN] -Group [Group name] Description Adds a user to an AAD group. If the group name...
Read More -
PowerShell framework to assess Azure security. Contribute to hausec/PowerZure development by creating an account on GitHub.
Read More -
Related rules
- Azure Alert Suppression Rule Created or Modified
- Azure Application Credential Modification
- Azure Automation Runbook Created or Modified
- Azure Automation Webhook Created
- Azure Blob Permissions Modification