AZT505.1 - Scheduled Jobs - Runbook Schedules

Adversaries may create a schedule for a Runbook to run at a defined interval.

Resource

Automation Account

Actions

• Microsoft.Automation/automationAccounts/Schedules/write

Examples

Az PowerShellAzure REST APIAzure Portal

New-AzAutomationSchedule

PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Automation/automationAccounts/{automationAccountName}/jobSchedules/{jobScheduleId}?api-version=2019-06-01

Detections

Logs

Data Source	Operation Name	Action	Log Provider
Resource	Create or Update an Azure Automation schedule asset	Microsoft.Automation/automationAccounts/Schedules/write	AzureActivity

Queries

Platform	Query
Log Analytics	AzureActivity | where OperationNameValue == 'MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WATCHERS/WATCHERACTIONS/WRITE'

Azure Monitor Alert

Additional Resources

https://docs.microsoft.com/en-us/azure/automation/shared-resources/schedules