This detection rule identifies the creation of new Azure Automation accounts within an Azure tenant, leveraging Azure Audit events specifically from the Azure Activity log. The presence of a new Automation account can pose security risks, as attackers could utilize such accounts for automation with potential elevated privileges. This rule aims to pinpoint unauthorized or suspicious account creations that could lead to persistence threats, the capability to execute malicious runbooks, and actions such as privilege escalations or unauthorized code execution on VMs.