Skip to content

AZT504 - Watcher Tasks#

By configurating a watcher task and a Runbook, an adversary can establish persistence by executing the Runbook on a triggered event.

Resource

Automation Account

Actions

  • Microsoft.Automation/automationAccounts/runbooks/*

Examples

New-AzAutomationWebhook

PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Automation/automationAccounts/{automationAccountName}/webhooks/{webhookName}?api-version=2015-10-31

watcher

Detections

Detection Details#

No logs are generated when a watcher task is created.

Logs#

Data Source Operation Name Action Log Provider
Resource Create an Azure Automation job Microsoft.Automation/automationAccounts/jobs/write AzureActivity
Resource Publish an Azure Automation runbook draft Microsoft.Automation/automationAccounts/runbooks/publish/action AzureActivity
Resource Write an Azure Automation runbook draft Microsoft.Automation/automationAccounts/runbooks/draft/write AzureActivity
Resource Create or Update an Azure Automation Runbook Microsoft.Automation/automationAccounts/runbooks/write AzureActivity

Queries#

Platform Query
Log Analytics AzureActivity | where OperationNameValue == 'MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WATCHERS/WATCHERACTIONS/WRITE'

Azure Monitor Alert#

Deploy to Azure

Additional Resources

https://docs.microsoft.com/en-us/azure/automation/automation-scenario-using-watcher-task