Azure API calls indicating Automation runbook deletion
Description
AlphaSOC detected deletion of an Azure Automation runbook via the
Microsoft.Automation/automationAccounts/runbooks/delete action. Runbooks are
scripts that automate tasks within Azure environments, often containing logic
for infrastructure management, deployments, or operational workflows.
Deleting runbooks may indicate an attacker covering their tracks after using automation for malicious purposes, or an attempt to disrupt operational processes. Adversaries who have executed code via runbooks often delete them afterward to remove evidence of their activities.
Impact
Runbook deletion can impair forensic investigations by removing artifacts that show what code was executed in the environment. It may also disrupt legitimate automation workflows, causing operational issues. If runbooks contained embedded credentials or sensitive logic, deletion prevents security review of potentially compromised automation.
Severity
| Severity | Condition |
|---|---|
Low | Unexpected action or ASN |
Medium | Two unexpected properties at the same time |
Investigation and Remediation
Review Azure Activity logs to identify the deleted runbook and the principal responsible. Check for recent runbook executions prior to deletion that may indicate malicious use. Examine other Automation account activities from the same principal for signs of abuse.
If unauthorized, rotate credentials for the affected identity and review what the deleted runbook may have had access to. Consider enabling diagnostic settings to retain runbook execution history and implementing RBAC policies to restrict runbook deletion.
Known False Positives
- Cleanup of deprecated or unused automation scripts
- Migration to different automation solutions