splunk · patel-bhavin · Sep 3, 2025 · Sep 3, 2025 · Sep 3, 2025
@@ -1,8 +1,8 @@
 name: Azure Automation Account Created
 id: 860902fd-2e76-46b3-b050-ba548dab576c
-version: 9
-date: '2025-05-02'
-author: Mauricio Velazco, Splunk
+version: 10
+date: '2025-09-03'
+author: Mauricio Velazco, Brian Serocki, Splunk
 status: production
 type: TTP
 description: The following analytic detects the creation of a new Azure Automation
@@ -15,9 +15,9 @@ description: The following analytic detects the creation of a new Azure Automati
   on virtual machines, posing a significant security risk.
 data_source:
 - Azure Audit Create or Update an Azure Automation account
-search: '`azure_audit` operationName.localizedValue="Create or Update an Azure Automation account" status.value=Succeeded 
+search: '`azure_audit` operationName.value="Microsoft.Automation/automationAccounts/write" status.value=Succeeded 
   | dedup object 
-  | rename claims.ipaddr as src, subscriptionId as vendor_account, operationName.localizedValue as signature
+  | rename claims.ipaddr as src, subscriptionId as vendor_account, operationName.value as signature
   | stats count min(_time) as firstTime max(_time) as lastTime by dest user src vendor_account vendor_product object object_path signature
   | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_automation_account_created_filter`'
 how_to_implement: You must install the latest version of Splunk Add-on for Microsoft

@@ -1,8 +1,8 @@
 name: Azure Automation Runbook Created
 id: 178d696d-6dc6-4ee8-9d25-93fee34eaf5b
-version: 9
-date: '2025-05-02'
-author: Mauricio Velazco, Splunk
+version: 10
+date: '2025-09-03'
+author: Mauricio Velazco, Brian Serocki, Splunk
 status: production
 type: TTP
 description: The following analytic detects the creation of a new Azure Automation
@@ -15,9 +15,9 @@ description: The following analytic detects the creation of a new Azure Automati
   environment.
 data_source:
 - Azure Audit Create or Update an Azure Automation Runbook
-search: '`azure_audit` operationName.localizedValue="Create or Update an Azure Automation Runbook" object!=AzureAutomationTutorial* status.value=Succeeded 
+search: '`azure_audit` operationName.value="Microsoft.Automation/automationAccounts/runbooks/write" object!=AzureAutomationTutorial* status.value=Succeeded 
   | dedup object 
-  | rename claims.ipaddr as src, subscriptionId as vendor_account, operationName.localizedValue as operationName
+  | rename claims.ipaddr as src, subscriptionId as vendor_account, operationName.value as operationName
   | stats count min(_time) as firstTime max(_time) as lastTime by dest user src vendor_account vendor_product object object_path 
   | `security_content_ctime(firstTime)` 
   | `security_content_ctime(lastTime)` 

@@ -1,8 +1,8 @@
 name: Azure Runbook Webhook Created
 id: e98944a9-92e4-443c-81b8-a322e33ce75a
-version: 10
-date: '2025-05-02'
-author: Mauricio Velazco, Splunk
+version: 11
+date: '2025-09-03'
+author: Mauricio Velazco, Brian Serocki, Splunk
 status: production
 type: TTP
 description: The following analytic detects the creation of a new Automation Runbook
@@ -15,7 +15,7 @@ description: The following analytic detects the creation of a new Automation Run
   control over Azure resources.
 data_source:
 - Azure Audit Create or Update an Azure Automation webhook
-search: '`azure_audit` operationName.localizedValue="Create or Update an Azure Automation webhook" status.value=Succeeded 
+search: '`azure_audit` operationName.value="Microsoft.Automation/automationAccounts/webhooks/write" status.value=Succeeded 
   | dedup object 
   | rename claims.ipaddr as src_ip
   | rename caller as user