Azure Automation Runbook Deleted
Detection of Azure Automation runbook deletion, potentially indicating defense evasion or disruption of automated business processes by an adversary removing malicious or critical runbooks.
This detection identifies when an Azure Automation runbook is deleted. Azure Automation runbooks are used to automate repetitive tasks and manage cloud resources. An adversary may delete an Azure Automation runbook to disrupt normal automated business operations or to remove a malicious runbook they previously deployed, thus covering their tracks. The detection focuses on monitoring Azure activity logs for events indicating the successful deletion of runbooks. While often legitimate, unexpected or unauthorized runbook deletions warrant investigation, especially in sensitive environments. The rule is designed to work with data ingested through the Azure Fleet integration or Filebeat module, which provides the necessary Azure activity logs.
Attack Chain
- An adversary gains initial access to an Azure account, potentially through compromised credentials or exploiting a vulnerability in the Azure environment.
- The attacker identifies Azure Automation accounts and their associated runbooks.
- If the attacker previously created a malicious runbook for persistence or other malicious purposes, they may delete it to evade detection.
- Alternatively, the attacker may delete legitimate runbooks to disrupt automated processes and cause operational impact.
- The attacker executes the runbook deletion command, triggering an event logged in the Azure activity logs. The specific operation name is "MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DELETE".
- The Azure platform records the deletion event, including the user identity and timestamp of the action.
- If successful, the runbook is permanently removed from the automation account.
- The deletion leads to disruption of the automated tasks previously performed by the runbook, potentially impacting business operations or security measures.
Impact
Successful deletion of Azure Automation runbooks can lead to the disruption of critical automated tasks, affecting business operations and potentially causing financial or reputational damage. The severity depends on the importance of the deleted runbooks. If malicious runbooks are deleted, it serves as defense evasion, potentially delaying incident response.
Recommendation
- Deploy the Sigma rule provided below to your SIEM to detect Azure Automation runbook deletions and tune it for your environment.
- Investigate any detected runbook deletions, focusing on the user identity and context of the event (refer to the investigation steps in the rule description).
- Implement stricter access controls and auditing for Azure Automation accounts to limit the ability to delete runbooks to authorized personnel.
- Consider enabling versioning or backups of Azure Automation runbooks to facilitate restoration in case of accidental or malicious deletion.
- Monitor user accounts for suspicious activity prior to the deletion event, such as privilege escalation or unusual access patterns.
Detection coverage 2
Azure Automation Runbook Deleted
lowDetects the deletion of Azure Automation runbooks, which could indicate defense evasion or disruption of automated processes.
Azure Automation Account Activity - Runbook Deletion by Unusual User
mediumDetects runbook deletions by accounts not typically associated with automation tasks, potentially indicating unauthorized activity.
Detection queries are available on the platform. Get full rules →