Azure Automation Account Created
Identifies when an Azure Automation account is created. Azure Automation accounts can be used to automate management tasks and orchestrate actions across systems. An adversary may create an Automation account in order to maintain persistence in their target's environment.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/08/18"
3integration = ["azure"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/06/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies when an Azure Automation account is created. Azure Automation accounts can be used to automate management
13tasks and orchestrate actions across systems. An adversary may create an Automation account in order to maintain
14persistence in their target's environment.
15"""
16from = "now-25m"
17index = ["filebeat-*", "logs-azure*"]
18language = "kuery"
19license = "Elastic License v2"
20name = "Azure Automation Account Created"
21note = """## Setup
22
23The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
24references = [
25 "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor",
26 "https://github.com/hausec/PowerZure",
27 "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
28 "https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/",
29]
30risk_score = 21
31rule_id = "df26fd74-1baa-4479-b42e-48da84642330"
32severity = "low"
33tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Persistence"]
34timestamp_override = "event.ingested"
35type = "query"
36
37query = '''
38event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WRITE" and event.outcome:(Success or success)
39'''
40
41
42[[rule.threat]]
43framework = "MITRE ATT&CK"
44[[rule.threat.technique]]
45id = "T1078"
46name = "Valid Accounts"
47reference = "https://attack.mitre.org/techniques/T1078/"
48
49
50[rule.threat.tactic]
51id = "TA0003"
52name = "Persistence"
53reference = "https://attack.mitre.org/tactics/TA0003/"
54[[rule.threat]]
55framework = "MITRE ATT&CK"
56[[rule.threat.technique]]
57id = "T1078"
58name = "Valid Accounts"
59reference = "https://attack.mitre.org/techniques/T1078/"
60
61
62[rule.threat.tactic]
63id = "TA0005"
64name = "Defense Evasion"
65reference = "https://attack.mitre.org/tactics/TA0005/"
Setup
The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- Azure AD Global Administrator Role Assigned
- Azure Global Administrator Role Addition to PIM User
- Azure Privilege Identity Management Role Modified
- Multi-Factor Authentication Disabled for an Azure User
- Azure Active Directory High Risk Sign-in