Azure Automation Runbook Created or Modified
Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure Automation runbook to execute malicious code and maintain persistence in their target's environment.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/08/18"
3integration = ["azure"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/06/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure
13Automation runbook to execute malicious code and maintain persistence in their target's environment.
14"""
15from = "now-25m"
16index = ["filebeat-*", "logs-azure*"]
17language = "kuery"
18license = "Elastic License v2"
19name = "Azure Automation Runbook Created or Modified"
20note = """## Setup
21
22The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
23references = [
24 "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor",
25 "https://github.com/hausec/PowerZure",
26 "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
27 "https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/",
28]
29risk_score = 21
30rule_id = "16280f1e-57e6-4242-aa21-bb4d16f13b2f"
31severity = "low"
32tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Configuration Audit", "Tactic: Persistence"]
33timestamp_override = "event.ingested"
34type = "query"
35
36query = '''
37event.dataset:azure.activitylogs and
38 azure.activitylogs.operation_name:
39 (
40 "MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DRAFT/WRITE" or
41 "MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/WRITE" or
42 "MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/PUBLISH/ACTION"
43 ) and
44 event.outcome:(Success or success)
45'''
Setup
The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- Azure Automation Webhook Created
- Azure Conditional Access Policy Modified
- User Added as Owner for Azure Application
- User Added as Owner for Azure Service Principal
- Application Added to Google Workspace Domain