This rule detects the creation, modification, or publication of Azure Automation runbooks, which can contain executable scripts that automate tasks in Azure environments. Threat actors may exploit these runbooks to maintain persistence, escalate privileges, or run malicious scripts. The detection activity focuses on monitoring changes to runbooks, including draft creation, modifications, and publishing events, to identify potentially unauthorized automation activities. The rule's process involves querying Azure Monitor Activity logs, examining the caller’s activity patterns over time, and identifying related automation activities in the vicinity of the alert.