Skip to content

AZT503.3 - HTTP Trigger: Runbook Webhook#

Adversaries may create a webhook to a Runbook which allows unauthenticated access into an Azure subscription or tenant.

Resource

Automation Accounts

Actions

  • Microsoft.Automation/automationAccounts/runbooks/*
  • Microsoft.Automation/automationAccounts/webhooks/write

Detections

Logs#

Data Source Operation Name Action Log Location
Resource Create or Update an Azure Automation webhook Microsoft.Automation/automationAccounts/webhooks/write Azure Activity Log