KQL Search

Query Details

HomeAI ToolsDevice Query

HUNT 04 Automation Runbook History

Query

// Hunt     : Hunt - Azure Automation Runbook Create, Modify, Publish History (90d)
// Tactics  : Execution,Persistence
// MITRE    : T1059.009
// Purpose  : Full history of Automation Account object changes. Use to identify newly created runbooks, unexpected content changes, and newly added webhooks (used for C2 callbacks). Correlate Caller with Rule-05 first-time-caller alerts.
//==========================================================================================

AzureActivity
| where TimeGenerated > ago(90d)
| where OperationNameValue has "AUTOMATION"
| where OperationNameValue has_any ("RUNBOOKS", "WEBHOOKS", "SCHEDULES", "VARIABLES", "MODULES")
| where ActivityStatusValue =~ "Success"
| project TimeGenerated, Caller, Operation = OperationNameValue, ResourceName = tostring(split(ResourceId, "/")[-1]), ResourceId, CallerIpAddress, ResourceGroup, SubscriptionId
| order by TimeGenerated desc

Explanation

This KQL (Kusto Query Language) query is designed to track changes in Azure Automation Accounts over the past 90 days. Here's a simplified breakdown:

  1. Data Source: The query is run against the AzureActivity table, which logs activities in Azure.

  2. Time Frame: It filters the data to include only activities that occurred in the last 90 days.

  3. Focus on Automation: It specifically looks for operations related to Azure Automation, indicated by the presence of "AUTOMATION" in the operation name.

  4. Specific Operations: The query further narrows down to operations involving "RUNBOOKS," "WEBHOOKS," "SCHEDULES," "VARIABLES," and "MODULES." These are key components of Azure Automation that might be modified or created.

  5. Successful Operations: It only considers activities where the status is "Success," ensuring that only completed actions are analyzed.

  6. Data Projection: The query selects specific fields to display:

    • TimeGenerated: When the activity occurred.
    • Caller: Who initiated the activity.
    • Operation: The type of operation performed.
    • ResourceName: The name of the resource affected, extracted from the ResourceId.
    • ResourceId: The unique identifier of the resource.
    • CallerIpAddress: The IP address of the caller.
    • ResourceGroup: The resource group containing the resource.
    • SubscriptionId: The subscription under which the activity took place.

  7. Ordering: The results are sorted by the time the activity was generated, in descending order, so the most recent activities appear first.

The purpose of this query is to provide a comprehensive history of changes to automation account objects, helping identify new runbooks, unexpected changes, and newly added webhooks, which could be used for command and control (C2) callbacks. It also suggests correlating the caller information with alerts for first-time callers to detect potential security incidents.

Details

David Alonso profile picture

David Alonso

Released: March 12, 2026

Tables

AzureActivity

Keywords

AzureActivityAutomationRunbooksWebhooksSchedulesVariablesModulesActivityStatusResourceNameResourceIdCallerIpAddressResourceGroupSubscriptionId

Operators

agohashas_any=~projecttostringsplitorder by

Actions