This detection rule is designed to identify unauthorized privilege escalation within Azure environments by monitoring changes to user roles, specifically when a user is transitioned from a 'Guest' to a 'Member' status. The detection focuses on the properties of operations recorded in Azure audit logs, particularly looking for the specific attributes that indicate such a role change. Given that transitioning a user from Guest to Member significantly increases their access level, this activity can be indicative of potentially malicious actions or misconfigurations that permit unauthorized access. The rule leverages the 'UserManagement' category within the Azure audit logs and filters operations named 'Update user' to catch instances where a property change in user status occurs. It is critical that this transition correctly follows organizational protocol, as unauthorized changes can lead to security vulnerabilities and data exposure.