[New Rule] Azure Automation Runbook Deleted (#235)

* new-rule-azure-automation-runbook-deleted

* Update rules/azure/impact_azure_automation_runbook_deleted.toml

Fix typo in rule description

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/azure/impact_azure_automation_runbook_deleted.toml

Remove superfluous parens from query

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

rules/azure/impact_azure_automation_runbook_deleted.toml

@@ -0,0 +1,33 @@
+[metadata]
+creation_date = "2020/09/01"
+ecs_version = ["1.6.0"]
+maturity = "production"
+updated_date = "2020/09/01"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies when an Azure Automation runbook is deleted. An adversary may delete an Azure Automation runbook in order to
+disrupt their target's automated business operations or to remove a malicious runbook that was used for persistence.
+"""
+from = "now-25m"
+index = ["filebeat-*"]
+language = "kuery"
+license = "Elastic License"
+name = "Azure Automation Runbook Deleted"
+note = "The Azure Filebeat module must be enabled to use this rule."
+references = [
+    "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor",
+    "https://github.com/hausec/PowerZure",
+    "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
+    "https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/",
+]
+risk_score = 21
+rule_id = "8ddab73b-3d15-4e5d-9413-47f05553c1d7"
+severity = "low"
+tags = ["Elastic", "Azure", "Continuous Monitoring", "SecOps", "Configuration Audit"]
+type = "query"
+
+query = '''
+event.module:azure and event.dataset:azure.activitylogs and event.category:Administrative and azure.activitylogs.operation_name:MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DELETE and event.outcome:Success
+'''