Azure Automation Account Created

 1[metadata]
 2creation_date = "2020/08/18"
 3integration = ["azure"]
 4maturity = "production"
 5updated_date = "2025/01/15"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies when an Azure Automation account is created. Azure Automation accounts can be used to automate management
11tasks and orchestrate actions across systems. An adversary may create an Automation account in order to maintain
12persistence in their target's environment.
13"""
14from = "now-25m"
15index = ["filebeat-*", "logs-azure*"]
16language = "kuery"
17license = "Elastic License v2"
18name = "Azure Automation Account Created"
19note = """## Triage and analysis
20
21> **Disclaimer**:
22> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
23
24### Investigating Azure Automation Account Created
25
26Azure Automation accounts facilitate the automation of management tasks and orchestration across cloud environments, enhancing operational efficiency. However, adversaries may exploit these accounts to establish persistence by automating malicious activities. The detection rule monitors the creation of these accounts by analyzing specific Azure activity logs, focusing on successful operations, to identify potential unauthorized or suspicious account creations.
27
28### Possible investigation steps
29
30- Review the Azure activity logs to confirm the creation of the Automation account by checking for the operation name "MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WRITE" and ensure the event outcome is marked as Success.
31- Identify the user or service principal that initiated the creation of the Automation account by examining the associated user identity information in the activity logs.
32- Investigate the context of the Automation account creation by reviewing recent activities performed by the identified user or service principal to determine if there are any other suspicious or unauthorized actions.
33- Check the configuration and permissions of the newly created Automation account to ensure it does not have excessive privileges that could be exploited for persistence or lateral movement.
34- Correlate the Automation account creation event with other security alerts or logs to identify any patterns or indicators of compromise that may suggest malicious intent.
35
36### False positive analysis
37
38- Routine administrative tasks may trigger the rule when legitimate users create Azure Automation accounts for operational purposes. To manage this, maintain a list of authorized personnel and their expected activities, and cross-reference alerts with this list.
39- Automated deployment scripts or infrastructure-as-code tools might create automation accounts as part of their normal operation. Identify these scripts and exclude their associated activities from triggering alerts by using specific identifiers or tags.
40- Scheduled maintenance or updates by cloud service providers could result in the creation of automation accounts. Verify the timing and context of the account creation against known maintenance schedules and exclude these from alerts if they match.
41- Development and testing environments often involve frequent creation and deletion of resources, including automation accounts. Implement separate monitoring rules or environments for these non-production areas to reduce noise in alerts.
42
43### Response and remediation
44
45- Immediately review the Azure activity logs to confirm the creation of the Automation account and identify the user or service principal responsible for the action.
46- Disable the newly created Azure Automation account to prevent any potential malicious automation tasks from executing.
47- Conduct a thorough investigation of the user or service principal that created the account to determine if their credentials have been compromised or if they have acted maliciously.
48- Reset credentials and enforce multi-factor authentication for the identified user or service principal to prevent unauthorized access.
49- Review and adjust Azure role-based access control (RBAC) policies to ensure that only authorized personnel have the ability to create Automation accounts.
50- Escalate the incident to the security operations team for further analysis and to determine if additional systems or accounts have been compromised.
51- Implement enhanced monitoring and alerting for future Automation account creations to quickly detect and respond to similar threats.
52
53## Setup
54
55The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
56references = [
57    "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor",
58    "https://github.com/hausec/PowerZure",
59    "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
60    "https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/",
61]
62risk_score = 21
63rule_id = "df26fd74-1baa-4479-b42e-48da84642330"
64severity = "low"
65tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Persistence", "Resources: Investigation Guide"]
66timestamp_override = "event.ingested"
67type = "query"
68
69query = '''
70event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WRITE" and event.outcome:(Success or success)
71'''
72
73
74[[rule.threat]]
75framework = "MITRE ATT&CK"
76[[rule.threat.technique]]
77id = "T1078"
78name = "Valid Accounts"
79reference = "https://attack.mitre.org/techniques/T1078/"
80
81
82[rule.threat.tactic]
83id = "TA0003"
84name = "Persistence"
85reference = "https://attack.mitre.org/tactics/TA0003/"
86[[rule.threat]]
87framework = "MITRE ATT&CK"
88[[rule.threat.technique]]
89id = "T1078"
90name = "Valid Accounts"
91reference = "https://attack.mitre.org/techniques/T1078/"
92
93
94[rule.threat.tactic]
95id = "TA0005"
96name = "Defense Evasion"
97reference = "https://attack.mitre.org/tactics/TA0005/"