Azure Automation account created
Description
AlphaSOC detected the creation of a new Azure Automation Account. Automation Accounts can be used by adversaries to execute arbitrary code in the cloud environment via runbooks or webhooks, potentially enabling persistence and remote command execution with the permissions assigned to the account.
Impact
Malicious Automation Accounts can execute code across Azure resources, establish persistent backdoors, and automate post-compromise activities. Runbooks within the account can access resources using managed identities or stored credentials, potentially providing broad access to the Azure environment.
Severity
| Severity | Condition |
|---|---|
Informational | Azure Automation account created |
Investigation and Remediation
Review the newly created Automation Account and verify the identity of the user who created it. Examine any runbooks, webhooks, or credentials configured within the account. Check the permissions assigned to the account's managed identity. If unauthorized, delete the account and investigate the user's recent activity for signs of compromise.
Known False Positives
- Legitimate infrastructure automation and DevOps activities
- IT teams setting up scheduled maintenance tasks
- Third-party management tools deploying automation resources