Azure Suspicious Automation Staged

Azure Suspicious Automation Staged

Detection overview

Triggers

  • Unusual changes to Runbook publishing permissions.
  • Unexpected publication (staging) of new or modified Runbooks, especially if they contain unusual logic or parameters.
  • Runbooks being published from an unexpected or unauthorized user or service principal.
  • Runbooks are being published (staged) for legitimate business use cases.

Possible Root Causes

  • Compromised Account: An attacker has gained access to an account and is attempting unauthorized modifications.
  • Legitimate Development Activity: A developer is staging a new Runbook as part of a valid development process but with unusual parameters or access levels.
  • Unauthorized Automation: Previously unused automated deployment scripts are publishing Runbooks with malicious intent.
  • Insider Threat: An authorized user is intentionally publishing malicious Runbooks.

Business Impact

  • Exposure of sensitive data through unauthorized access or data leaks.
  • Security vulnerabilities exploited due to misconfigured Runbooks or storage accounts.
  • Unplanned changes to business logic or workflows, potentially disrupting critical services.
  • Potential data breaches, unauthorized access to resources, disruption of critical business services, and reputational damage.

Steps to Verify

  • Review the Azure Activity Logs for the suspicious event, focusing on the user/service principal and the published Runbook.
  • Investigate the user�s or service principal�s permissions and access levels within Azure Automation.
  • Verify if other security alerts or notifications were triggered around the time of the suspicious event.
  • Inspect the Runbook code for signs of malicious activity, such as code injection or data exfiltration.
  • To view the Runbook:
    • Navigate to the Automation Accounts service in Azure.
    • Identify the Automation Account associated with the Runbook.
    • Locate the Runbooks under the Process Automation tab for the selected Automation Account.
  • Consult with Azure administrators, security teams, and relevant stakeholders to determine the cause and scope of the incident.
Azure Suspicious Automation Staged

Possible root causes

Malicious Detection

Benign Detection

Azure Suspicious Automation Staged

Example scenarios

Azure Suspicious Automation Staged

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

Azure Suspicious Automation Staged

Steps to investigate

Azure Suspicious Automation Staged

MITRE ATT&CK techniques covered

Azure Suspicious Automation Staged

Related detections

No items found.

FAQs