Skip to content

Microsoft.Automation/automationAccounts/webhooks/action

Azure

Microsoft.Automation/automationAccounts/webhooks/action

service: Azure - Automation
tactics:
techniques:

Event

Triggers an Azure Automation runbook via a webhook invocation.

Security Context

  • Automation services can be weaponized to execute scripts across multiple resources simultaneously, enabling rapid lateral movement.

Log Source

Azure Activity Log

Sample Event

Adversarial. Pre-staged webhook webhook-backup-offsite (created in the previous webhooks/write event) is invoked from the attacker IP. Webhooks accept anonymous HTTP POST — Azure does NOT require Entra auth on the URL itself, only the secret URL token. So the caller field for this Activity Log entry is the Automation Account’s identity, not Draco’s UPN — that’s what makes webhooks valuable to attackers, and important for defenders to recognise. The job created by the webhook will then run in the worker context.

{
"authorization": {
"action": "Microsoft.Automation/automationAccounts/webhooks/action",
"scope": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-occamy-pipeline/providers/Microsoft.Automation/automationAccounts/aa-occamy-automation/webhooks/webhook-backup-offsite"
},
"caller": "Microsoft.Automation",
"channels": "Operation",
"claims": {
"aud": "https://management.core.windows.net/",
"iss": "https://sts.windows.net/10000000-0000-4000-8000-000000000001/",
"appid": "5b132037-23e4-46e5-b3bf-fe96dabf76ec",
"appidacr": "2",
"http://schemas.microsoft.com/identity/claims/objectidentifier": "40000000-0000-4000-8000-000000101010",
"http://schemas.microsoft.com/identity/claims/tenantid": "10000000-0000-4000-8000-000000000001"
},
"correlationId": "90000000-0000-4000-8000-000010010000",
"description": "",
"eventDataId": "90000000-0000-4000-8000-000010010001",
"eventName": {
"value": "EndRequest",
"localizedValue": "End request"
},
"category": {
"value": "Administrative",
"localizedValue": "Administrative"
},
"eventTimestamp": "2026-04-15T21:18:42.7172938Z",
"id": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-occamy-pipeline/providers/Microsoft.Automation/automationAccounts/aa-occamy-automation/webhooks/webhook-backup-offsite/events/90000000-0000-4000-8000-000010010001/ticks/638798233227172938",
"level": "Informational",
"operationId": "90000000-0000-4000-8000-000010010010",
"operationName": {
"value": "Microsoft.Automation/automationAccounts/webhooks/action",
"localizedValue": "Invoke an Azure Automation webhook"
},
"resourceGroupName": "rg-occamy-pipeline",
"resourceProviderName": {
"value": "Microsoft.Automation",
"localizedValue": "Microsoft.Automation"
},
"resourceType": {
"value": "Microsoft.Automation/automationAccounts/webhooks",
"localizedValue": "Microsoft.Automation/automationAccounts/webhooks"
},
"resourceId": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-occamy-pipeline/providers/Microsoft.Automation/automationAccounts/aa-occamy-automation/webhooks/webhook-backup-offsite",
"status": {
"value": "Succeeded",
"localizedValue": "Succeeded"
},
"subStatus": {
"value": "OK",
"localizedValue": "OK (HTTP Status Code: 200)"
},
"submissionTimestamp": "2026-04-15T21:18:43.0218732Z",
"subscriptionId": "20000000-0000-4000-8000-000000000001",
"tenantId": "10000000-0000-4000-8000-000000000001",
"properties": {
"statusCode": "OK",
"serviceRequestId": null,
"eventCategory": "Administrative",
"entity": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-occamy-pipeline/providers/Microsoft.Automation/automationAccounts/aa-occamy-automation/webhooks/webhook-backup-offsite",
"message": "Microsoft.Automation/automationAccounts/webhooks/action",
"hierarchy": "10000000-0000-4000-8000-000000000001/20000000-0000-4000-8000-000000000001"
},
"relatedEvents": [],
"httpRequest": {
"clientRequestId": "90000000-0000-4000-8000-000010010011",
"clientIpAddress": "203.0.113.66",
"method": "POST"
},
"identity": null
}

MITRE ATT&CK Mapping

Tactics: Execution

Techniques:
  • T1072 — Software Deployment Tools — Adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands and move laterally through the network. Configuration management and software deployment applications may be used in an enterprise network or cloud environment for routine adminis...
  • T1059 — Command and Scripting Interpreter — Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface a...