Azure Automation Account Created

Identifies when an Azure Automation account is created. Azure Automation accounts can be used to automate management tasks and orchestrate actions across systems. An adversary may create an Automation account in order to maintain persistence in their target's environment.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/08/18"
 3integration = ["azure"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies when an Azure Automation account is created. Azure Automation accounts can be used to automate management
11tasks and orchestrate actions across systems. An adversary may create an Automation account in order to maintain
12persistence in their target's environment.
13"""
14from = "now-25m"
15index = ["filebeat-*", "logs-azure*"]
16language = "kuery"
17license = "Elastic License v2"
18name = "Azure Automation Account Created"
19note = """## Setup
20
21The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
22references = [
23    "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor",
24    "https://github.com/hausec/PowerZure",
25    "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
26    "https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/",
27]
28risk_score = 21
29rule_id = "df26fd74-1baa-4479-b42e-48da84642330"
30severity = "low"
31tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Persistence"]
32timestamp_override = "event.ingested"
33type = "query"
34
35query = '''
36event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WRITE" and event.outcome:(Success or success)
37'''
38
39
40[[rule.threat]]
41framework = "MITRE ATT&CK"
42[[rule.threat.technique]]
43id = "T1078"
44name = "Valid Accounts"
45reference = "https://attack.mitre.org/techniques/T1078/"
46
47
48[rule.threat.tactic]
49id = "TA0003"
50name = "Persistence"
51reference = "https://attack.mitre.org/tactics/TA0003/"
52[[rule.threat]]
53framework = "MITRE ATT&CK"
54[[rule.threat.technique]]
55id = "T1078"
56name = "Valid Accounts"
57reference = "https://attack.mitre.org/techniques/T1078/"
58
59
60[rule.threat.tactic]
61id = "TA0005"
62name = "Defense Evasion"
63reference = "https://attack.mitre.org/tactics/TA0005/"

Setup

The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

References

Related rules

to-top