Azure Automation Webhook Created

Elastic Stack Serverless Security

Identifies when an Azure Automation webhook is created. Azure Automation runbooks can be configured to execute via a webhook. A webhook uses a custom URL passed to Azure Automation along with a data payload specific to the runbook. An adversary may create a webhook in order to trigger a runbook that contains malicious code.

Rule type: query

Rule indices:

• filebeat-*
• logs-azure*

Severity: low

Risk score: 21

Runs every: 5m

Searches indices from: now-25m (https://www.elastic.co/guide/en/elasticsearch/reference/current/common-options.html#date-math[Date Math format], see also Additional look-back time)

Maximum alerts per execution: 100

References:

• https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor
• https://github.com/hausec/PowerZure
• https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a
• https://www.ciraltos.com/webhooks-and-azure-automation-runbooks/

Tags:

• Elastic
• Cloud
• Azure
• Continuous Monitoring
• SecOps
• Configuration Audit

Version: 7

Rule authors:

• Elastic

Rule license: Elastic License v2

event.dataset:azure.activitylogs and
  azure.activitylogs.operation_name:
    (
      "MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/ACTION" or
      "MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/WRITE"
    ) and
  event.outcome:(Success or success)