This detection rule is designed to monitor the creation of new Azure Automation Runbooks within an Azure tenant. It utilizes Azure Audit events, specifically targeting the Azure Activity log category, to capture instances when a Runbook is created or modified. The rule highlights the potential risk associated with such actions, as adversaries with access to an Azure tenant can leverage Runbooks to execute malicious functions, maintain persistence, or escalate privileges within the environment. Confirmed malicious activities can have severe implications, such as unauthorized escalation to Global Administrator status, execution of arbitrary code on virtual machines, and potential compromise of the entire Azure infrastructure. By detecting these events, security teams can respond promptly and mitigate risks associated with unauthorized automation in cloud environments.