The Azure Serverless Script Execution detection rule identifies instances when serverless resources such as Azure Automation and Azure Function Apps execute PowerShell or Python scripts. This detection is essential because adversaries may exploit access to these resources to carry out commands leveraging the permissions granted to managed identities, RunAs accounts, or hybrid worker groups. The rule specifically looks for activities logged in Azure Monitor Activity that are indicative of script execution in both Automation and Function Apps. Key investigative steps include examining execution patterns by the caller's IP address, identifying any creative or modifying operations related to these resources prior to the execution notification, and evaluating the atypicality of these actions against historical behaviors.