Terrance DeJesus
cabf1c2a02
* Tuning azure and m365 rule names and file paths * addressing unit test failures * addressing unit test failures * Changed Frontdoor to Front Door * removed extra space in name * adjusted Microsoft 365 to M365 in rule name * Update rules/integrations/azure/credential_access_storage_account_key_regenerated.toml * Update rules/integrations/azure/defense_evasion_automation_runbook_deleted.toml * Update rules/integrations/azure/execution_automation_runbook_created_or_modified.toml * Update rules/integrations/azure/persistence_automation_account_created.toml * Update rules/integrations/azure/impact_key_vault_modified_by_unusual_user.toml * Update rules/integrations/azure/initial_access_entra_id_protection_sign_in_risk_detected.toml * Update rules/integrations/azure/initial_access_entra_id_protection_user_risk_detected.toml * Update rules/integrations/azure/persistence_automation_webhook_created.toml * Update rules/integrations/azure/persistence_entra_id_global_administrator_role_assigned.toml * Update rules/integrations/azure/persistence_entra_id_mfa_disabled_for_user.toml * Update rules/integrations/azure/persistence_event_hub_created_or_updated.toml * Update rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml * Update rules/integrations/o365/initial_access_defender_for_m365_threat_intelligence_signal.toml * Update rules/integrations/azure/credential_access_entra_id_signin_brute_force_microsoft_365.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update rules/integrations/azure/credential_access_entra_id_signin_brute_force_microsoft_365.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update rules/integrations/o365/credential_access_entra_id_potential_user_account_brute_force.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update rules/integrations/o365/credential_access_entra_id_potential_user_account_brute_force.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * fixed additional rule names * Update rule dates and investigation guide headers - Set updated_date to 2025/12/10 for all modified rules - Fix investigation guide headers to match actual rule names - Ensures compliance with test_rule_change_has_updated_date - Ensures compliance with test_investigation_guide_uses_rule_name 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * changed kibana alert rule name to rule ID --------- Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> Co-authored-by: Claude <noreply@anthropic.com>
99 lines
5.9 KiB
TOML
99 lines
5.9 KiB
TOML
[metadata]
|
|
creation_date = "2020/08/18"
|
|
integration = ["azure"]
|
|
maturity = "production"
|
|
updated_date = "2025/12/10"
|
|
|
|
[rule]
|
|
author = ["Elastic"]
|
|
description = """
|
|
Identifies when an Azure Automation account is created. Azure Automation accounts can be used to automate management
|
|
tasks and orchestrate actions across systems. An adversary may create an Automation account in order to maintain
|
|
persistence in their target's environment.
|
|
"""
|
|
from = "now-9m"
|
|
index = ["logs-azure.activitylogs-*", "filebeat-*"]
|
|
language = "kuery"
|
|
license = "Elastic License v2"
|
|
name = "Azure Automation Account Created"
|
|
note = """## Triage and analysis
|
|
|
|
> **Disclaimer**:
|
|
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
|
|
|
|
### Investigating Azure Automation Account Created
|
|
|
|
Azure Automation accounts facilitate the automation of management tasks and orchestration across cloud environments, enhancing operational efficiency. However, adversaries may exploit these accounts to establish persistence by automating malicious activities. The detection rule monitors the creation of these accounts by analyzing specific Azure activity logs, focusing on successful operations, to identify potential unauthorized or suspicious account creations.
|
|
|
|
### Possible investigation steps
|
|
|
|
- Review the Azure activity logs to confirm the creation of the Automation account by checking for the operation name "MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WRITE" and ensure the event outcome is marked as Success.
|
|
- Identify the user or service principal that initiated the creation of the Automation account by examining the associated user identity information in the activity logs.
|
|
- Investigate the context of the Automation account creation by reviewing recent activities performed by the identified user or service principal to determine if there are any other suspicious or unauthorized actions.
|
|
- Check the configuration and permissions of the newly created Automation account to ensure it does not have excessive privileges that could be exploited for persistence or lateral movement.
|
|
- Correlate the Automation account creation event with other security alerts or logs to identify any patterns or indicators of compromise that may suggest malicious intent.
|
|
|
|
### False positive analysis
|
|
|
|
- Routine administrative tasks may trigger the rule when legitimate users create Azure Automation accounts for operational purposes. To manage this, maintain a list of authorized personnel and their expected activities, and cross-reference alerts with this list.
|
|
- Automated deployment scripts or infrastructure-as-code tools might create automation accounts as part of their normal operation. Identify these scripts and exclude their associated activities from triggering alerts by using specific identifiers or tags.
|
|
- Scheduled maintenance or updates by cloud service providers could result in the creation of automation accounts. Verify the timing and context of the account creation against known maintenance schedules and exclude these from alerts if they match.
|
|
- Development and testing environments often involve frequent creation and deletion of resources, including automation accounts. Implement separate monitoring rules or environments for these non-production areas to reduce noise in alerts.
|
|
|
|
### Response and remediation
|
|
|
|
- Immediately review the Azure activity logs to confirm the creation of the Automation account and identify the user or service principal responsible for the action.
|
|
- Disable the newly created Azure Automation account to prevent any potential malicious automation tasks from executing.
|
|
- Conduct a thorough investigation of the user or service principal that created the account to determine if their credentials have been compromised or if they have acted maliciously.
|
|
- Reset credentials and enforce multi-factor authentication for the identified user or service principal to prevent unauthorized access.
|
|
- Review and adjust Azure role-based access control (RBAC) policies to ensure that only authorized personnel have the ability to create Automation accounts.
|
|
- Escalate the incident to the security operations team for further analysis and to determine if additional systems or accounts have been compromised.
|
|
- Implement enhanced monitoring and alerting for future Automation account creations to quickly detect and respond to similar threats.
|
|
|
|
## Setup
|
|
|
|
The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
|
|
references = [
|
|
"https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor",
|
|
"https://github.com/hausec/PowerZure",
|
|
"https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
|
|
"https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/",
|
|
]
|
|
risk_score = 21
|
|
rule_id = "df26fd74-1baa-4479-b42e-48da84642330"
|
|
severity = "low"
|
|
tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Persistence", "Resources: Investigation Guide"]
|
|
timestamp_override = "event.ingested"
|
|
type = "query"
|
|
|
|
query = '''
|
|
event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WRITE" and event.outcome:(Success or success)
|
|
'''
|
|
|
|
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
[[rule.threat.technique]]
|
|
id = "T1078"
|
|
name = "Valid Accounts"
|
|
reference = "https://attack.mitre.org/techniques/T1078/"
|
|
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0003"
|
|
name = "Persistence"
|
|
reference = "https://attack.mitre.org/tactics/TA0003/"
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
[[rule.threat.technique]]
|
|
id = "T1078"
|
|
name = "Valid Accounts"
|
|
reference = "https://attack.mitre.org/techniques/T1078/"
|
|
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0005"
|
|
name = "Defense Evasion"
|
|
reference = "https://attack.mitre.org/tactics/TA0005/"
|
|
|