<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Azure Automation - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/azure-automation/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 25 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/azure-automation/feed.xml" rel="self" type="application/rss+xml"/><item><title>Azure Automation Runbook Created or Modified</title><link>https://feed.craftedsignal.io/briefs/2024-01-azure-automation-runbook-modification/</link><pubDate>Thu, 25 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-azure-automation-runbook-modification/</guid><description>An adversary may create or modify an Azure Automation runbook to execute malicious code and maintain persistence in their target's environment, detected through Azure activity logs.</description><content:encoded><![CDATA[<p>This detection identifies the creation or modification of Azure Automation runbooks, a technique that adversaries can use to execute malicious code within an Azure environment and establish persistence. Azure Automation runbooks are scripts that automate tasks in cloud environments. The activity is detected by monitoring Azure activity logs for specific operations related to runbook creation or modification. While legitimate updates and maintenance may trigger this detection, unauthorized changes to runbooks can introduce backdoors or malicious functionality. The detection focuses on &quot;MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DRAFT/WRITE&quot;, &quot;MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/WRITE&quot;, or &quot;MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/PUBLISH/ACTION&quot; operations. This activity is a part of exploiting cloud resources for unauthorized purposes.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Adversary gains initial access to an Azure account with sufficient privileges to manage Automation Accounts.</li>
<li>The adversary navigates to the Azure Automation service.</li>
<li>The adversary creates a new runbook or modifies an existing one.</li>
<li>The runbook is populated with malicious code, such as PowerShell scripts designed to create a backdoor or exfiltrate data.</li>
<li>The adversary publishes the runbook, making it active within the Azure environment.</li>
<li>The runbook is scheduled to execute automatically or triggered manually.</li>
<li>The malicious code within the runbook executes, performing unauthorized actions such as data exfiltration or resource manipulation.</li>
<li>The adversary maintains persistence by ensuring the runbook continues to execute on a schedule.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack can lead to unauthorized access to sensitive data, resource hijacking, and persistent backdoors within the Azure environment. The impact ranges from data breaches and service disruption to long-term control of the compromised Azure resources. Even though rated low severity, successful exploitation leads to further malicious actions within the cloud environment, potentially impacting multiple services and data stores.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Azure Automation Runbook Creation or Modification</code> to your SIEM and tune for your environment to detect suspicious activity (rule).</li>
<li>Review Azure activity logs for the <code>MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DRAFT/WRITE</code>, <code>MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/WRITE</code>, and <code>MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/PUBLISH/ACTION</code> operations to identify potential unauthorized changes (logs).</li>
<li>Implement strict access controls and multi-factor authentication for Azure accounts with permissions to manage Automation Accounts (best practice).</li>
<li>Regularly audit and review the content of Azure Automation runbooks to identify any unauthorized or suspicious code (best practice).</li>
<li>Consider enabling logging of runbook execution to gain deeper visibility into their activity (best practice).</li>
</ul>
]]></content:encoded><category domain="severity">low</category><category domain="type">advisory</category><category>azure</category><category>automation</category><category>runbook</category><category>execution</category><category>persistence</category></item><item><title>Azure Automation Runbook Deleted</title><link>https://feed.craftedsignal.io/briefs/2024-01-11-azure-automation-runbook-deleted/</link><pubDate>Thu, 11 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-11-azure-automation-runbook-deleted/</guid><description>Detection of Azure Automation runbook deletion, potentially indicating defense evasion or disruption of automated business processes by an adversary removing malicious or critical runbooks.</description><content:encoded><![CDATA[<p>This detection identifies when an Azure Automation runbook is deleted. Azure Automation runbooks are used to automate repetitive tasks and manage cloud resources. An adversary may delete an Azure Automation runbook to disrupt normal automated business operations or to remove a malicious runbook they previously deployed, thus covering their tracks. The detection focuses on monitoring Azure activity logs for events indicating the successful deletion of runbooks. While often legitimate, unexpected or unauthorized runbook deletions warrant investigation, especially in sensitive environments. The rule is designed to work with data ingested through the Azure Fleet integration or Filebeat module, which provides the necessary Azure activity logs.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An adversary gains initial access to an Azure account, potentially through compromised credentials or exploiting a vulnerability in the Azure environment.</li>
<li>The attacker identifies Azure Automation accounts and their associated runbooks.</li>
<li>If the attacker previously created a malicious runbook for persistence or other malicious purposes, they may delete it to evade detection.</li>
<li>Alternatively, the attacker may delete legitimate runbooks to disrupt automated processes and cause operational impact.</li>
<li>The attacker executes the runbook deletion command, triggering an event logged in the Azure activity logs. The specific operation name is &quot;MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DELETE&quot;.</li>
<li>The Azure platform records the deletion event, including the user identity and timestamp of the action.</li>
<li>If successful, the runbook is permanently removed from the automation account.</li>
<li>The deletion leads to disruption of the automated tasks previously performed by the runbook, potentially impacting business operations or security measures.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful deletion of Azure Automation runbooks can lead to the disruption of critical automated tasks, affecting business operations and potentially causing financial or reputational damage. The severity depends on the importance of the deleted runbooks. If malicious runbooks are deleted, it serves as defense evasion, potentially delaying incident response.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule provided below to your SIEM to detect Azure Automation runbook deletions and tune it for your environment.</li>
<li>Investigate any detected runbook deletions, focusing on the user identity and context of the event (refer to the investigation steps in the rule description).</li>
<li>Implement stricter access controls and auditing for Azure Automation accounts to limit the ability to delete runbooks to authorized personnel.</li>
<li>Consider enabling versioning or backups of Azure Automation runbooks to facilitate restoration in case of accidental or malicious deletion.</li>
<li>Monitor user accounts for suspicious activity prior to the deletion event, such as privilege escalation or unusual access patterns.</li>
</ul>
]]></content:encoded><category domain="severity">low</category><category domain="type">advisory</category><category>cloud</category><category>azure</category><category>defense-evasion</category><category>impact</category></item><item><title>Suspicious Azure Automation Account Creation</title><link>https://feed.craftedsignal.io/briefs/2024-01-04-azure-automation-account-creation/</link><pubDate>Thu, 04 Jan 2024 16:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-04-azure-automation-account-creation/</guid><description>An adversary may create an Azure Automation account to maintain persistence in the target environment by automating malicious tasks.</description><content:encoded><![CDATA[<p>Azure Automation accounts allow users to automate management tasks and orchestrate actions across systems. An attacker may create an Automation Account for persistence, defense evasion, or lateral movement. The primary technique involves creating a valid account (T1078) within the Azure environment and abusing it for malicious purposes. This activity can be difficult to detect because the creation of Automation Accounts is a legitimate administrative function. Defenders need to monitor these events and correlate them with other suspicious activities. This brief focuses on detecting the initial creation of such accounts, providing a starting point for deeper investigation.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains initial access to the Azure environment, possibly through compromised credentials or a misconfigured service principal.</li>
<li>The attacker authenticates to the Azure Resource Manager API.</li>
<li>The attacker uses the Azure CLI or PowerShell module to create a new Azure Automation account using the <code>New-AzAutomationAccount</code> command or equivalent API call.</li>
<li>The attacker configures the Automation Account with necessary permissions, possibly granting it access to other resources within the environment.</li>
<li>The attacker creates Runbooks within the Automation Account that contain malicious scripts designed to perform tasks such as data exfiltration, lateral movement, or privilege escalation.</li>
<li>The attacker schedules the Runbooks to execute automatically or triggers them manually as needed to maintain persistence.</li>
<li>The attacker uses the Automation Account to maintain a foothold in the environment, bypassing traditional security controls and remaining undetected for extended periods.</li>
<li>The attacker leverages the compromised Automation Account to achieve their final objective, such as data theft, system compromise, or disruption of services.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack can lead to long-term persistence within the Azure environment. This allows the attacker to maintain control even if other access methods are discovered and remediated. The attacker can use the Automation Account to execute malicious code, steal sensitive data, or disrupt critical services, leading to significant financial and reputational damage. This can affect organizations of any size that rely on Azure for their infrastructure and operations.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;Azure Automation Account Created&quot; to your SIEM and tune for your environment to detect account creations (rule.name).</li>
<li>Investigate the user or service principal responsible for creating new Automation Accounts (references).</li>
<li>Review the permissions granted to newly created Automation Accounts to identify any excessive privileges (references).</li>
<li>Monitor for suspicious activity originating from Automation Accounts, such as unauthorized access to resources or execution of unusual scripts (references).</li>
<li>Implement multi-factor authentication (MFA) for all Azure accounts, especially those with administrative privileges to prevent credential compromise (references).</li>
<li>Enforce the principle of least privilege to limit the impact of compromised accounts (references).</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>azure</category><category>persistence</category><category>cloud</category></item><item><title>Azure Runbook Webhook Creation Detected</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-azure-runbook-webhook-created/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-azure-runbook-webhook-created/</guid><description>Detection of a new Azure Automation Runbook Webhook creation, potentially leading to unauthorized access and control over Azure resources by enabling unauthenticated URL triggers.</description><content:encoded><![CDATA[<p>This alert focuses on the creation of new Azure Automation Runbook Webhooks within an Azure tenant. Attackers can exploit these webhooks, which trigger Automation Runbooks through unauthenticated URLs, to execute malicious code, create unauthorized user accounts, or establish persistence within the Azure environment. This activity is detected using Azure Audit events, specifically monitoring for the &quot;Microsoft.Automation/automationAccounts/webhooks/write&quot; operation. This is especially critical as successful exploitation can lead to full control over the Azure resources. Defenders should prioritize monitoring for unexpected or unauthorized webhook creation activities. This detection originated from Splunk's ES-CU detections as of April 2026.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains initial access to an Azure account, possibly through compromised credentials or exploiting a vulnerability.</li>
<li>The attacker navigates to the Azure Automation service within the Azure portal.</li>
<li>The attacker attempts to create a new Automation Account if one doesn't exist, or uses an existing one.</li>
<li>The attacker creates a new Runbook designed to execute malicious tasks. This could include adding a new user account with elevated privileges.</li>
<li>The attacker creates a webhook associated with the malicious Runbook. This generates an unauthenticated URL.</li>
<li>The attacker configures the webhook to trigger the Runbook upon accessing the unauthenticated URL.</li>
<li>The attacker tests the webhook URL to ensure the Runbook executes as intended.</li>
<li>The attacker leverages the webhook URL to execute malicious actions within the Azure environment, such as creating new high privileged accounts or modifying existing infrastructure.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation allows attackers to gain unauthorized access and control over Azure resources. This can result in data breaches, service disruptions, and further compromise of the environment. If not detected promptly, this can lead to significant financial and reputational damage. This issue impacts any organization using Azure Automation and exposes all data and resources managed within the impacted Azure tenant.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Azure Runbook Webhook Created</code> to your SIEM and tune for your environment to detect the creation of malicious webhooks.</li>
<li>Investigate any detected instances of Azure Runbook Webhook creation, focusing on the user (<code>user</code>) and source IP (<code>src_ip</code>) involved.</li>
<li>Review Azure Activity logs for the &quot;Microsoft.Automation/automationAccounts/webhooks/write&quot; operation.</li>
<li>Monitor network traffic for suspicious connections to newly created webhook URLs (related to the created <code>object</code>).</li>
<li>Implement strict access control policies and multi-factor authentication for all Azure accounts to prevent initial compromise.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>azure</category><category>runbook</category><category>webhook</category><category>persistence</category></item><item><title>Azure Automation Runbook Creation for Persistence</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-azure-automation-runbook-creation/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-azure-automation-runbook-creation/</guid><description>This analytic detects the creation of a new Azure Automation Runbook within an Azure tenant using Azure Audit events, which adversaries with privileged access can abuse to maintain persistence, escalate privileges, or execute malicious code, potentially leading to unauthorized actions and compromise of the Azure environment.</description><content:encoded><![CDATA[<p>The creation of Azure Automation Runbooks can be a legitimate administrative task, but it also presents a significant security risk. Threat actors with sufficient privileges can create or modify runbooks to establish persistence, escalate privileges, or execute malicious code within the Azure environment. This activity, if malicious, can lead to significant damage, including the creation of rogue Global Administrators, unauthorized code execution on virtual machines, and ultimately, the compromise of the entire Azure infrastructure. This brief focuses on detecting the creation of these runbooks as a potential indicator of malicious activity and provides guidance on how to identify and respond to such events. The detection logic is based on Azure Audit events.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to an Azure tenant, possibly through compromised credentials or exploiting a vulnerability.</li>
<li>The attacker escalates their privileges to a level sufficient to create or modify Azure Automation Runbooks.</li>
<li>The attacker creates a new Azure Automation Account if one does not already exist, or uses an existing one.</li>
<li>The attacker crafts a malicious Runbook containing code designed to perform unauthorized actions. This could involve PowerShell scripts or other supported languages.</li>
<li>The attacker creates the malicious Azure Automation Runbook, triggering an Azure Audit event with <code>operationName.value=&quot;Microsoft.Automation/automationAccounts/runbooks/write&quot;</code>.</li>
<li>The attacker schedules or manually executes the Runbook.</li>
<li>The Runbook executes malicious code, potentially creating new user accounts with elevated privileges or deploying malware to virtual machines.</li>
<li>The attacker achieves persistence by maintaining the Runbook for future unauthorized access or control.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation via malicious Azure Automation Runbook creation can lead to a complete compromise of the Azure environment. Attackers can create new administrative accounts, giving them persistent and unrestricted access. They can execute arbitrary code on virtual machines, potentially leading to data theft, ransomware deployment, or other destructive activities. The impact can range from data breaches and service disruptions to significant financial losses and reputational damage.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Azure Automation Runbook Created</code> to your SIEM to detect suspicious runbook creation activity. Tune the rule based on your environment to minimize false positives.</li>
<li>Investigate any detected instances of Runbook creation, paying close attention to the user involved (<code>user</code> field) and the contents of the Runbook itself.</li>
<li>Monitor Azure Audit logs for unusual or unauthorized activity related to Automation Accounts and Runbooks.</li>
<li>Implement multi-factor authentication (MFA) for all user accounts, especially those with administrative privileges, to mitigate the risk of credential compromise.</li>
<li>Review and enforce the principle of least privilege, ensuring that users only have the necessary permissions to perform their tasks.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>azure</category><category>persistence</category><category>automation</category><category>cloud</category></item><item><title>Azure Automation Account Creation</title><link>https://feed.craftedsignal.io/briefs/2024-01-azure-automation-account-creation/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-azure-automation-account-creation/</guid><description>Detect the creation of new Azure Automation accounts, which can be used by attackers for persistence, privilege escalation, and malicious runbook execution within Azure environments.</description><content:encoded><![CDATA[<p>This brief focuses on detecting the creation of new Azure Automation accounts, a technique used by attackers to establish persistence and execute malicious actions within Azure environments. Azure Automation allows users to automate tasks across Azure and on-premise systems via runbooks. An attacker creating a rogue Automation account with elevated privileges can maintain a foothold in the environment, execute malicious scripts, and potentially gain control over virtual machines and other resources. This detection leverages Azure Audit events (Azure Activity log) to identify such suspicious account creation activity. The risk is significant due to the potential for broad impact and the difficulty in tracing actions back to the attacker-controlled Automation account. The provided Splunk analytic was last updated in version 13 on April 15, 2026.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains initial access to the Azure environment, potentially through compromised credentials or a vulnerability in a web application.</li>
<li>The attacker attempts to create a new Azure Automation account using stolen credentials or through a compromised service principal.</li>
<li>An Azure Audit event is generated with <code>operationName.value=&quot;Microsoft.Automation/automationAccounts/write&quot;</code> and <code>status.value=Succeeded</code>, indicating the successful creation of the account.</li>
<li>The attacker configures the Automation account, assigning it elevated privileges, such as Contributor or Owner roles.</li>
<li>The attacker creates or imports malicious runbooks into the Automation account. These runbooks can contain PowerShell or Python scripts designed to execute malicious tasks.</li>
<li>The attacker leverages the Hybrid Runbook Worker feature to execute runbooks on Azure VMs or on-premise servers, allowing them to move laterally within the environment.</li>
<li>The runbooks execute malicious code, potentially installing backdoors, stealing credentials, or exfiltrating sensitive data.</li>
<li>The attacker maintains persistence by scheduling runbooks to execute regularly, ensuring continued access to the environment.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation can lead to significant damage, including data breaches, system compromise, and financial loss. Attackers can leverage Automation accounts to maintain persistence even after initial compromises are remediated. The scope of impact depends on the privileges assigned to the Automation account, but could potentially affect the entire Azure subscription and connected on-premise resources. This could lead to ransomware deployment, sensitive data exfiltration, or long-term espionage.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Sigma rule to your SIEM and tune for your environment to detect the creation of Azure Automation accounts.</li>
<li>Investigate any detected Automation account creation events, focusing on accounts created by unfamiliar users or service principals.</li>
<li>Monitor Azure Audit logs for suspicious activity associated with newly created Automation accounts, such as runbook creation and execution.</li>
<li>Implement multi-factor authentication (MFA) for all Azure users to reduce the risk of credential compromise.</li>
<li>Review and restrict the permissions assigned to Azure Automation accounts, following the principle of least privilege.</li>
<li>Use Azure Policy to enforce restrictions on Automation account creation and configuration.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>azure</category><category>automation</category><category>persistence</category></item><item><title>Azure Automation Webhook Created for Persistence</title><link>https://feed.craftedsignal.io/briefs/2024-01-azure-automation-webhook-created/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-azure-automation-webhook-created/</guid><description>Adversaries may create Azure Automation webhooks to trigger malicious runbooks for persistence in cloud environments.</description><content:encoded><![CDATA[<p>This alert identifies the creation of Azure Automation webhooks, which adversaries may abuse to establish persistence within cloud environments. Azure Automation allows users to define and execute runbooks, which are scripts that automate tasks. Webhooks provide a mechanism to trigger these runbooks via HTTP requests. An attacker can create a webhook associated with a malicious runbook, allowing them to execute arbitrary code within the Azure environment whenever the webhook URL is accessed. This poses a significant risk, as it allows attackers to maintain a persistent foothold and potentially escalate their privileges. The detection rule focuses on identifying specific operation names within Azure activity logs related to webhook creation.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to an Azure account, possibly through compromised credentials or exploiting a vulnerability.</li>
<li>The attacker navigates to the Azure Automation service within the compromised account.</li>
<li>The attacker creates a new runbook or modifies an existing one to include malicious code (e.g., PowerShell script to create a new user, exfiltrate data, or deploy malware).</li>
<li>The attacker creates a new webhook associated with the malicious runbook. The webhook is configured to be triggered by an HTTP request to a unique URL.</li>
<li>The attacker obtains the webhook URL.</li>
<li>The attacker triggers the webhook by sending an HTTP request to the URL, either manually or through an automated process.</li>
<li>The Azure Automation service executes the runbook associated with the webhook.</li>
<li>The malicious code within the runbook executes, achieving the attacker's objective (e.g., persistence, privilege escalation, data exfiltration).</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation allows attackers to establish a persistent presence within the Azure environment. This can lead to unauthorized access to sensitive data, deployment of malware, or further compromise of other resources within the cloud infrastructure. While the risk score is low, the long-term impact of persistence can be severe, potentially affecting hundreds or thousands of resources depending on the scope of the compromised Azure account.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;Azure Automation Webhook Created&quot; to your SIEM and tune for your environment (rule below).</li>
<li>Review Azure activity logs for unusual webhook creation events, focusing on the <code>azure.activitylogs.operation_name</code> field as indicated in the rule (rule below).</li>
<li>Implement enhanced monitoring and alerting for webhook creation and execution activities to detect similar threats in the future as described in the Overview section.</li>
<li>Enforce multi-factor authentication (MFA) for all accounts with access to Azure Automation as mentioned in the Response and Remediation section.</li>
</ul>
]]></content:encoded><category domain="severity">low</category><category domain="type">advisory</category><category>azure</category><category>persistence</category><category>cloud</category></item></channel></rss>