AZT605.1 - Resource Secret Reveal: Automation Account Credential Secret Dump#
By editing a Runbook, a credential configured in an Automation Account may be revealed
Resource
Automation Account
Actions
- Microsoft.Automation/automationAccounts/runbooks/*
Examples
Detections
Logs#
Data Source | Operation Name | Action | Log Location |
---|---|---|---|
Resource | Create an Azure Automation job | Microsoft.Automation/automationAccounts/jobs/write | Azure Activity Log |
Resource | Publish an Azure Automation runbook draft | Microsoft.Automation/automationAccounts/runbooks/publish/action | Azure Activity Log |
Resource | Write an Azure Automation runbook draft | Microsoft.Automation/automationAccounts/runbooks/draft/write | Azure Activity Log |
Resource | Create or Update an Azure Automation Runbook | Microsoft.Automation/automationAccounts/runbooks/write | Azure Activity Log |
Queries#
|where OperationNameValue=="Microsoft.Automation/automationAccounts/jobs/write" or OperationNameValue=="Microsoft.Automation/automationAccounts/runbooks/publish/action"
or OperationNameValue=="Microsoft.Automation/automationAccounts/runbooks/draft/write" or OperationNameValue=="Microsoft.Automation/automationAccounts/runbooks/write"