Azure Automation Runbook Created or Modifiededit

Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure Automation runbook to execute malicious code and maintain persistence in their target’s environment.

Rule type: query

Rule indices:

  • filebeat-*
  • logs-azure*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-25m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Cloud
  • Azure
  • Continuous Monitoring
  • SecOps
  • Configuration Audit

Version: 3 (version history)

Added (Elastic Stack release): 7.10.0

Last modified (Elastic Stack release): 7.11.2

Rule authors: Elastic

Rule license: Elastic License

Investigation guideedit

The Azure Filebeat module must be enabled to use this rule.

Rule queryedit

event.dataset:azure.activitylogs and azure.activitylogs.operation_name
:(MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DRAFT/WRITE or
MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/WRITE or
MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/PUBLISH/ACTION) and
event.outcome:(Success or success)

Rule version historyedit

Version 3 (7.11.2 release)
  • Formatting only
Version 2 (7.11.0 release)
  • Updated query, changed from:

    event.dataset:azure.activitylogs and azure.activitylogs.operation_name
    :(MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DRAFT/WRITE or
    MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/WRITE or
    MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/PUBLISH/ACTION) and
    event.outcome:Success