Azure Automation webhook created
Description
AlphaSOC detected the creation of an Azure Automation webhook. Webhooks allow external systems to trigger runbook execution via HTTP requests without requiring Azure authentication. Adversaries may create webhooks to enable remote code execution or establish covert command-and-control channels through the Azure Automation service.
Impact
Malicious webhooks provide attackers with a persistent mechanism to execute code in the Azure environment from external locations. Since webhooks can be called without Azure credentials, they create potential backdoors that bypass normal authentication controls. This can enable data exfiltration, resource manipulation, or further compromise of the cloud environment.
Severity
| Severity | Condition |
|---|---|
Informational | Azure Automation webhook created |
Investigation and Remediation
Review the newly created webhook and its associated runbook. Verify the identity of the user who created it and confirm the action was legitimate. Examine the webhook's expiration settings and intended use case. If unauthorized, delete the webhook immediately, review related runbooks for malicious content, and investigate the user's recent activity for signs of account compromise.
Known False Positives
- Integration with CI/CD pipelines that trigger automation workflows
- Third-party monitoring or management tools
- Legitimate external services that interact with Azure Automation