Azure Runbook Webhook Creation Detected
Detection of a new Azure Automation Runbook Webhook creation, potentially leading to unauthorized access and control over Azure resources by enabling unauthenticated URL triggers.
This alert focuses on the creation of new Azure Automation Runbook Webhooks within an Azure tenant. Attackers can exploit these webhooks, which trigger Automation Runbooks through unauthenticated URLs, to execute malicious code, create unauthorized user accounts, or establish persistence within the Azure environment. This activity is detected using Azure Audit events, specifically monitoring for the "Microsoft.Automation/automationAccounts/webhooks/write" operation. This is especially critical as successful exploitation can lead to full control over the Azure resources. Defenders should prioritize monitoring for unexpected or unauthorized webhook creation activities. This detection originated from Splunk's ES-CU detections as of April 2026.
Attack Chain
- The attacker gains initial access to an Azure account, possibly through compromised credentials or exploiting a vulnerability.
- The attacker navigates to the Azure Automation service within the Azure portal.
- The attacker attempts to create a new Automation Account if one doesn't exist, or uses an existing one.
- The attacker creates a new Runbook designed to execute malicious tasks. This could include adding a new user account with elevated privileges.
- The attacker creates a webhook associated with the malicious Runbook. This generates an unauthenticated URL.
- The attacker configures the webhook to trigger the Runbook upon accessing the unauthenticated URL.
- The attacker tests the webhook URL to ensure the Runbook executes as intended.
- The attacker leverages the webhook URL to execute malicious actions within the Azure environment, such as creating new high privileged accounts or modifying existing infrastructure.
Impact
Successful exploitation allows attackers to gain unauthorized access and control over Azure resources. This can result in data breaches, service disruptions, and further compromise of the environment. If not detected promptly, this can lead to significant financial and reputational damage. This issue impacts any organization using Azure Automation and exposes all data and resources managed within the impacted Azure tenant.
Recommendation
- Deploy the Sigma rule
Azure Runbook Webhook Createdto your SIEM and tune for your environment to detect the creation of malicious webhooks. - Investigate any detected instances of Azure Runbook Webhook creation, focusing on the user (
user) and source IP (src_ip) involved. - Review Azure Activity logs for the "Microsoft.Automation/automationAccounts/webhooks/write" operation.
- Monitor network traffic for suspicious connections to newly created webhook URLs (related to the created
object). - Implement strict access control policies and multi-factor authentication for all Azure accounts to prevent initial compromise.
Detection coverage 2
Azure Runbook Webhook Created
highDetects the creation of an Azure Automation Runbook Webhook, which can be used for persistence and unauthorized execution.
Azure Runbook Creation
mediumDetects the creation of an Azure Automation Runbook, which is a prerequisite for webhook abuse.
Detection queries are available on the platform. Get full rules →