AZT503.3 - HTTP Trigger: Runbook Webhook#
Adversaries may create a webhook to a Runbook which allows unauthenticated access into an Azure subscription or tenant.
Resource
Automation Accounts
Actions
- Microsoft.Automation/automationAccounts/runbooks/*
- Microsoft.Automation/automationAccounts/webhooks/write
Examples
Detections
Logs#
Data Source | Operation Name | Action | Log Location |
---|---|---|---|
Resource | Create or Update an Azure Automation webhook | Microsoft.Automation/automationAccounts/webhooks/write | Azure Activity Log |