Skip to content

AZT404.3 - Unmanaged Scripting: Automation Account Runbook#

By utilizing a Automation Account configured with a managed identity or RunAs account, an attacker can execute Azure operations on a given resource.

Resource

Automation Account

Actions

  • Microsoft.Automation/automationAccounts/runbooks/*

Detections

Logs#

Data Source Operation Name Action Log Location
Resource Create an Azure Automation job Microsoft.Automation/automationAccounts/jobs/write Azure Activity Log
Resource Publish an Azure Automation runbook draft Microsoft.Automation/automationAccounts/runbooks/publish/action Azure Activity Log
Resource Write an Azure Automation runbook draft Microsoft.Automation/automationAccounts/runbooks/draft/write Azure Activity Log
Resource Create or Update an Azure Automation Runbook Microsoft.Automation/automationAccounts/runbooks/write Azure Activity Log

Queries#

|where OperationNameValue=="Microsoft.Automation/automationAccounts/jobs/write" or OperationNameValue=="Microsoft.Automation/automationAccounts/runbooks/publish/action"
or OperationNameValue=="Microsoft.Automation/automationAccounts/runbooks/draft/write" or OperationNameValue=="Microsoft.Automation/automationAccounts/runbooks/write"