IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« Azure Automation Runbook Deleted Azure Blob Container Access Level Modification »
Elastic Docs Elastic Security Solution [7.10] Detections and Alerts Prebuilt rule reference

Azure Automation Webhook Created

edit

Azure Automation Webhook Created

edit

Identifies when an Azure Automation webhook is created. Azure Automation runbooks can be configured to execute via a webhook. A webhook uses a custom URL passed to Azure Automation along with a data payload specific to the runbook. An adversary may create a webhook in order to trigger a runbook that contains malicious code.

Rule type: query

Rule indices:

  • filebeat-*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-25m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Cloud
  • Azure
  • Continuous Monitoring
  • SecOps
  • Configuration Audit

Version: 1

Added (Elastic Stack release): 7.10.0

Rule authors: Elastic

Rule license: Elastic License

Investigation guide

edit

The Azure Filebeat module must be enabled to use this rule.

Rule query

edit
event.dataset:azure.activitylogs and azure.activitylogs.operation_name
:(MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/ACTION or
MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/WRITE) and
event.outcome:Success
« Azure Automation Runbook Deleted Azure Blob Container Access Level Modification »