This detection rule is designed to identify the creation of webhooks within Azure Automation. Webhooks are utilized to trigger runbooks by sending HTTP requests to a specified URL, which can potentially be exploited by adversaries to execute unauthorized actions or persist within the environment. The rule assists in monitoring for such activities by querying the Azure Monitor Activity logs, specifically focusing on operations related to automation accounts. The detection logic includes assessing the frequency of webhook creation to identify patterns indicative of malicious activity, particularly looking for multiple instances of webhook creation within a specific timeframe. If suspicious behavior is observed, such as multiple webhooks created by the same IP address or attempts to establish unusual persistence mechanisms, appropriate alerts can be generated. This rule is aligned with MITRE ATT&CK tactics that relate to persistence and execution. With careful monitoring using this rule, organizations can enhance their security posture against potential misuse of Azure Automation capabilities by malicious actors.