Azure Automation Runbook Deleted
Identifies when an Azure Automation runbook is deleted. An adversary may delete an Azure Automation runbook in order to disrupt their target's automated business operations or to remove a malicious runbook for defense evasion.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/09/01"
3integration = ["azure"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/06/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies when an Azure Automation runbook is deleted. An adversary may delete an Azure Automation runbook in order to
13disrupt their target's automated business operations or to remove a malicious runbook for defense evasion.
14"""
15from = "now-25m"
16index = ["filebeat-*", "logs-azure*"]
17language = "kuery"
18license = "Elastic License v2"
19name = "Azure Automation Runbook Deleted"
20note = """## Setup
21
22The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
23references = [
24 "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor",
25 "https://github.com/hausec/PowerZure",
26 "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
27 "https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/",
28]
29risk_score = 21
30rule_id = "8ddab73b-3d15-4e5d-9413-47f05553c1d7"
31severity = "low"
32tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Configuration Audit", "Tactic: Defense Evasion"]
33timestamp_override = "event.ingested"
34type = "query"
35
36query = '''
37event.dataset:azure.activitylogs and
38 azure.activitylogs.operation_name:"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DELETE" and
39 event.outcome:(Success or success)
40'''
41
42
43[[rule.threat]]
44framework = "MITRE ATT&CK"
45
46[rule.threat.tactic]
47id = "TA0005"
48name = "Defense Evasion"
49reference = "https://attack.mitre.org/tactics/TA0005/"
Setup
The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- Azure Alert Suppression Rule Created or Modified
- Application Removed from Blocklist in Google Workspace
- Azure Application Credential Modification
- Azure Automation Runbook Created or Modified
- Azure Automation Webhook Created