Azure Automation Account Created
Identifies when an Azure Automation account is created. Azure Automation accounts can be used to automate management tasks and orchestrate actions across systems. An adversary may create an Automation account in order to maintain persistence in their target's environment.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/08/18"
3integration = ["azure"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/06/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies when an Azure Automation account is created. Azure Automation accounts can be used to automate management
13tasks and orchestrate actions across systems. An adversary may create an Automation account in order to maintain
14persistence in their target's environment.
15"""
16from = "now-25m"
17index = ["filebeat-*", "logs-azure*"]
18language = "kuery"
19license = "Elastic License v2"
20name = "Azure Automation Account Created"
21note = """## Setup
22
23The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
24references = [
25 "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor",
26 "https://github.com/hausec/PowerZure",
27 "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
28 "https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/",
29]
30risk_score = 21
31rule_id = "df26fd74-1baa-4479-b42e-48da84642330"
32severity = "low"
33tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Persistence"]
34timestamp_override = "event.ingested"
35type = "query"
36
37query = '''
38event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WRITE" and event.outcome:(Success or success)
39'''
40
41
42[[rule.threat]]
43framework = "MITRE ATT&CK"
44[[rule.threat.technique]]
45id = "T1078"
46name = "Valid Accounts"
47reference = "https://attack.mitre.org/techniques/T1078/"
48
49
50[rule.threat.tactic]
51id = "TA0003"
52name = "Persistence"
53reference = "https://attack.mitre.org/tactics/TA0003/"
54[[rule.threat]]
55framework = "MITRE ATT&CK"
56[[rule.threat.technique]]
57id = "T1078"
58name = "Valid Accounts"
59reference = "https://attack.mitre.org/techniques/T1078/"
60
61
62[rule.threat.tactic]
63id = "TA0005"
64name = "Defense Evasion"
65reference = "https://attack.mitre.org/tactics/TA0005/"
Setup
The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
-
Operational Add-AzureADGroupMember Synopsis Adds a user to an Azure AD Group Syntax Add-AzureADGroupMember -User [UPN] -Group [Group name] Description Adds a user to an AAD group. If the group name...
Read More -
PowerShell framework to assess Azure security. Contribute to hausec/PowerZure development by creating an account on GitHub.
Read More -
Related rules
- Azure AD Global Administrator Role Assigned
- Azure Global Administrator Role Addition to PIM User
- Azure Privilege Identity Management Role Modified
- Multi-Factor Authentication Disabled for an Azure User
- Azure Active Directory High Risk Sign-in