Azure Automation Runbook Deleted
Identifies when an Azure Automation runbook is deleted. An adversary may delete an Azure Automation runbook in order to disrupt their target's automated business operations or to remove a malicious runbook for defense evasion.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/09/01"
3integration = ["azure"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/06/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies when an Azure Automation runbook is deleted. An adversary may delete an Azure Automation runbook in order to
13disrupt their target's automated business operations or to remove a malicious runbook for defense evasion.
14"""
15from = "now-25m"
16index = ["filebeat-*", "logs-azure*"]
17language = "kuery"
18license = "Elastic License v2"
19name = "Azure Automation Runbook Deleted"
20note = """## Setup
21
22The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
23references = [
24 "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor",
25 "https://github.com/hausec/PowerZure",
26 "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
27 "https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/",
28]
29risk_score = 21
30rule_id = "8ddab73b-3d15-4e5d-9413-47f05553c1d7"
31severity = "low"
32tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Configuration Audit", "Tactic: Defense Evasion"]
33timestamp_override = "event.ingested"
34type = "query"
35
36query = '''
37event.dataset:azure.activitylogs and
38 azure.activitylogs.operation_name:"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DELETE" and
39 event.outcome:(Success or success)
40'''
41
42
43[[rule.threat]]
44framework = "MITRE ATT&CK"
45
46[rule.threat.tactic]
47id = "TA0005"
48name = "Defense Evasion"
49reference = "https://attack.mitre.org/tactics/TA0005/"
Setup
The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
-
Operational Add-AzureADGroupMember Synopsis Adds a user to an Azure AD Group Syntax Add-AzureADGroupMember -User [UPN] -Group [Group name] Description Adds a user to an AAD group. If the group name...
Read More -
PowerShell framework to assess Azure security. Contribute to hausec/PowerZure development by creating an account on GitHub.
Read More -
Related rules
- Azure Alert Suppression Rule Created or Modified
- Application Removed from Blocklist in Google Workspace
- Azure Application Credential Modification
- Azure Automation Runbook Created or Modified
- Azure Automation Webhook Created