Azure Automation Webhook Created
Identifies when an Azure Automation webhook is created. Azure Automation runbooks can be configured to execute via a webhook. A webhook uses a custom URL passed to Azure Automation along with a data payload specific to the runbook. An adversary may create a webhook in order to trigger a runbook that contains malicious code.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/08/18"
3integration = ["azure"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/06/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies when an Azure Automation webhook is created. Azure Automation runbooks can be configured to execute via a
13webhook. A webhook uses a custom URL passed to Azure Automation along with a data payload specific to the runbook. An
14adversary may create a webhook in order to trigger a runbook that contains malicious code.
15"""
16from = "now-25m"
17index = ["filebeat-*", "logs-azure*"]
18language = "kuery"
19license = "Elastic License v2"
20name = "Azure Automation Webhook Created"
21note = """## Setup
22
23The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
24references = [
25 "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor",
26 "https://github.com/hausec/PowerZure",
27 "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
28 "https://www.ciraltos.com/webhooks-and-azure-automation-runbooks/",
29]
30risk_score = 21
31rule_id = "e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62"
32severity = "low"
33tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Configuration Audit", "Tactic: Persistence"]
34timestamp_override = "event.ingested"
35type = "query"
36
37query = '''
38event.dataset:azure.activitylogs and
39 azure.activitylogs.operation_name:
40 (
41 "MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/ACTION" or
42 "MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/WRITE"
43 ) and
44 event.outcome:(Success or success)
45'''
Setup
The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
-
Operational Add-AzureADGroupMember Synopsis Adds a user to an Azure AD Group Syntax Add-AzureADGroupMember -User [UPN] -Group [Group name] Description Adds a user to an AAD group. If the group name...
Read More -
PowerShell framework to assess Azure security. Contribute to hausec/PowerZure development by creating an account on GitHub.
Read More -
-
Related rules
- Azure Automation Runbook Created or Modified
- Azure Conditional Access Policy Modified
- User Added as Owner for Azure Application
- User Added as Owner for Azure Service Principal
- Application Added to Google Workspace Domain