Azure Automation Account Created
Identifies when an Azure Automation account is created. Azure Automation accounts can be used to automate management tasks and orchestrate actions across systems. An adversary may create an Automation account in order to maintain persistence in their target's environment.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/08/18"
3integration = ["azure"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies when an Azure Automation account is created. Azure Automation accounts can be used to automate management
11tasks and orchestrate actions across systems. An adversary may create an Automation account in order to maintain
12persistence in their target's environment.
13"""
14from = "now-25m"
15index = ["filebeat-*", "logs-azure*"]
16language = "kuery"
17license = "Elastic License v2"
18name = "Azure Automation Account Created"
19note = """## Setup
20
21The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
22references = [
23 "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor",
24 "https://github.com/hausec/PowerZure",
25 "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
26 "https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/",
27]
28risk_score = 21
29rule_id = "df26fd74-1baa-4479-b42e-48da84642330"
30severity = "low"
31tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Persistence"]
32timestamp_override = "event.ingested"
33type = "query"
34
35query = '''
36event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WRITE" and event.outcome:(Success or success)
37'''
38
39
40[[rule.threat]]
41framework = "MITRE ATT&CK"
42[[rule.threat.technique]]
43id = "T1078"
44name = "Valid Accounts"
45reference = "https://attack.mitre.org/techniques/T1078/"
46
47
48[rule.threat.tactic]
49id = "TA0003"
50name = "Persistence"
51reference = "https://attack.mitre.org/tactics/TA0003/"
52[[rule.threat]]
53framework = "MITRE ATT&CK"
54[[rule.threat.technique]]
55id = "T1078"
56name = "Valid Accounts"
57reference = "https://attack.mitre.org/techniques/T1078/"
58
59
60[rule.threat.tactic]
61id = "TA0005"
62name = "Defense Evasion"
63reference = "https://attack.mitre.org/tactics/TA0005/"
Setup
The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
-
Operational Add-AzureADGroupMember Synopsis Adds a user to an Azure AD Group Syntax Add-AzureADGroupMember -User [UPN] -Group [Group name] Description Adds a user to an AAD group. If the group name...
Read More -
PowerShell framework to assess Azure security. Contribute to hausec/PowerZure development by creating an account on GitHub.
Read More -
Related rules
- Azure AD Global Administrator Role Assigned
- Azure Global Administrator Role Addition to PIM User
- Azure Privilege Identity Management Role Modified
- Multi-Factor Authentication Disabled for an Azure User
- AWS IAM Group Creation