The Azure Automation Runbook Deleted detection rule aims to identify unauthorized deletions of Azure Automation runbooks, which can indicate adversarial activities such as covering tracks after executing malicious runbooks or disrupting security processes. This rule leverages Azure Monitor Activity logs to track runbook operations, specifically focusing on delete actions. To validate a deletion, it checks if the runbook was recently created by the same actor and investigates any correlated defensive evasion activities within a specified timeframe. Given that legitimate runbook deletions are expected to be rare and managed through change control, any detected deletions can alert security teams to potential security incidents. The severity level is classified as informational, highlighting the potential for either benign or malicious activity depending on the context of the deletion.