The detection rule identifies instances when an Azure Automation runbook is deleted. Such deletions may be indicative of adversarial actions aimed at disrupting automated operational workflows or removing traces of malicious runbooks as a defense evasion technique. The rule utilizes Azure activity logs to monitor deletions, specifically looking for operations that indicate successful deletions of runbooks. Upon alert, analysts are prompted to investigate user activity surrounding the deletion, checking the logs for the operation name related to the deletion and ensuring the outcome is marked as successful. Analysts should also review relevant logs leading up to and following the event for any patterns of suspicious behavior, and assess the business impact of the deletion on operational processes. The rule includes considerations for false positives arising from routine IT maintenance and outlines necessary investigative and remediation steps to be taken in the event of an unauthorized deletion.