This detection rule identifies when an Azure Automation runbook is created or modified, which is critical for cloud security. Runbooks are scripts used for automating tasks in cloud environments, making them a target for adversaries looking to execute unauthorized code and maintain persistence in a compromised environment. By monitoring specific Azure activity logs, the rule flags any creation or modification events of runbooks, helping to detect potential misuse early. Investigators are guided to review Azure activity logs for specified operation names associated with runbook changes, confirm successful operations, analyze user identity fields for potential adversaries, and correlate runbook activities with other security events. Steps to reduce false positives and respond to incidents include isolating affected accounts, auditing recent runbook activities, and enhancing monitoring to quickly detect similar threats in the future. This rule emphasizes the importance of validating legitimate administrative actions against potentially malicious activity.