Skip to content

AZT505.1 - Scheduled Jobs - Runbook Schedules#

Adversaries may create a schedule for a Runbook to run at a defined interval.

Resource

Automation Account

Actions

  • Microsoft.Automation/automationAccounts/Schedules/write

Examples

New-AzAutomationSchedule

PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Automation/automationAccounts/{automationAccountName}/jobSchedules/{jobScheduleId}?api-version=2019-06-01

runbookschedule

Detections

Logs#

Data Source Operation Name Action Log Provider
Resource Create or Update an Azure Automation schedule asset Microsoft.Automation/automationAccounts/Schedules/write AzureActivity

Queries#

Platform Query
Log Analytics AzureActivity | where OperationNameValue == 'MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WATCHERS/WATCHERACTIONS/WRITE'

Azure Monitor Alert#

Deploy to Azure

Additional Resources

https://docs.microsoft.com/en-us/azure/automation/shared-resources/schedules