Ross Wolf
600acca704
* Track integrations in folder and metadata
* Remove duplicate entry
* Update note and tests
(cherry picked from commit 1882f4456c)
45 lines
1.6 KiB
TOML
45 lines
1.6 KiB
TOML
[metadata]
|
|
creation_date = "2020/08/18"
|
|
maturity = "production"
|
|
updated_date = "2021/07/20"
|
|
integration = "azure"
|
|
|
|
[rule]
|
|
author = ["Elastic"]
|
|
description = """
|
|
Identifies when an Azure Automation webhook is created. Azure Automation runbooks can be configured to execute via a
|
|
webhook. A webhook uses a custom URL passed to Azure Automation along with a data payload specific to the runbook. An
|
|
adversary may create a webhook in order to trigger a runbook that contains malicious code.
|
|
"""
|
|
from = "now-25m"
|
|
index = ["filebeat-*", "logs-azure*"]
|
|
language = "kuery"
|
|
license = "Elastic License v2"
|
|
name = "Azure Automation Webhook Created"
|
|
note = """## Config
|
|
|
|
The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
|
|
references = [
|
|
"https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor",
|
|
"https://github.com/hausec/PowerZure",
|
|
"https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
|
|
"https://www.ciraltos.com/webhooks-and-azure-automation-runbooks/",
|
|
]
|
|
risk_score = 21
|
|
rule_id = "e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62"
|
|
severity = "low"
|
|
tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Configuration Audit"]
|
|
timestamp_override = "event.ingested"
|
|
type = "query"
|
|
|
|
query = '''
|
|
event.dataset:azure.activitylogs and
|
|
azure.activitylogs.operation_name:
|
|
(
|
|
"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/ACTION" or
|
|
"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/WRITE"
|
|
) and
|
|
event.outcome:(Success or success)
|
|
'''
|
|
|