Skip to content

AZT503.3 - HTTP Trigger: Runbook Webhook#

Adversaries may create a webhook to a Runbook which allows unauthenticated access into an Azure subscription or tenant.

Resource

Automation Accounts

Actions

  • Microsoft.Automation/automationAccounts/runbooks/*
  • Microsoft.Automation/automationAccounts/webhooks/write

Detections

Logs#

Data Source Operation Name Action Log Provider
Resource Create or Update an Azure Automation webhook Microsoft.Automation/automationAccounts/webhooks/write AzureActivity

Queries#

Platform Query
Log Analytics AzureActivity | where OperationNameValue == 'MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/WRITE'

Azure Monitor Alert#

Deploy to Azure