This rule detects the generation of Shared Access Signature (SAS) URIs for Azure VM disks, which enable unauthenticated access to disk contents stored in Azure Storage for a limited time. Adversaries can exploit this capability to download virtual machine disks, which may contain sensitive data, including operating systems, applications, and credentials. The rule aims to identify and mitigate the risk associated with potential data exfiltration by monitoring specific Azure Monitor activities associated with disk access. The detection is crucial as the creation of SAS URIs can facilitate unauthorized extraction of sensitive information without triggering typical security alerts, highlighting the need for immediate investigation.