Unexpected Azure API calls indicating Automation account deletion
Description
AlphaSOC detected deletion of an Azure Automation account. Automation accounts contain runbooks, schedules, and webhooks that automate operational tasks. Adversaries may delete automation accounts to remove evidence of malicious runbooks, disrupt automation workflows, or cover their tracks after establishing persistence.
Impact
Deleting an automation account removes all associated runbooks, schedules, and configuration, potentially disrupting critical automation workflows. This can also eliminate evidence of attacker activity if malicious runbooks were created. Recovery may be difficult without proper backups.
Severity
| Severity | Condition |
|---|---|
Low | Unexpected action or ASN |
Medium | Unexpected action and ASN |
Investigation and Remediation
Review Azure Activity logs for the
Microsoft.Automation/automationAccounts/delete action. Identify the deleted
account and the principal responsible. Check backup history to understand what
runbooks and configurations were contained in the account.
If unauthorized, restore the automation account from backup if available. Review other automation accounts for suspicious runbooks that may indicate attacker activity. Rotate credentials for the compromised identity and audit RBAC assignments to restrict automation account deletion permissions.
Known False Positives
- Planned decommissioning of automation resources
- Resource cleanup in development environments
- Migration to new automation infrastructure