Azure Automation Webhook Created
Identifies when an Azure Automation webhook is created. Azure Automation runbooks can be configured to execute via a webhook. A webhook uses a custom URL passed to Azure Automation along with a data payload specific to the runbook. An adversary may create a webhook in order to trigger a runbook that contains malicious code.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/08/18"
3integration = ["azure"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies when an Azure Automation webhook is created. Azure Automation runbooks can be configured to execute via a
11webhook. A webhook uses a custom URL passed to Azure Automation along with a data payload specific to the runbook. An
12adversary may create a webhook in order to trigger a runbook that contains malicious code.
13"""
14from = "now-25m"
15index = ["filebeat-*", "logs-azure*"]
16language = "kuery"
17license = "Elastic License v2"
18name = "Azure Automation Webhook Created"
19note = """## Setup
20
21The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
22references = [
23 "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor",
24 "https://github.com/hausec/PowerZure",
25 "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
26 "https://www.ciraltos.com/webhooks-and-azure-automation-runbooks/",
27]
28risk_score = 21
29rule_id = "e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62"
30severity = "low"
31tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Configuration Audit", "Tactic: Persistence"]
32timestamp_override = "event.ingested"
33type = "query"
34
35query = '''
36event.dataset:azure.activitylogs and
37 azure.activitylogs.operation_name:
38 (
39 "MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/ACTION" or
40 "MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/WRITE"
41 ) and
42 event.outcome:(Success or success)
43'''
Setup
The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
-
Operational Add-AzureADGroupMember Synopsis Adds a user to an Azure AD Group Syntax Add-AzureADGroupMember -User [UPN] -Group [Group name] Description Adds a user to an AAD group. If the group name...
Read More -
PowerShell framework to assess Azure security. Contribute to hausec/PowerZure development by creating an account on GitHub.
Read More -
-
Related rules
- Azure Automation Runbook Created or Modified
- Azure Conditional Access Policy Modified
- User Added as Owner for Azure Application
- User Added as Owner for Azure Service Principal
- Application Added to Google Workspace Domain