This rule detects anomalous Windows endpoint activity where the Azure CLI (az.cmd or azure.cli) is used to manage Ent ra/Azure AD user accounts, such as creating or deleting users. It ingests endpoint telemetry from Sysmon (Event ID 1), Windows Security (Event 4688), and CrowdStrike ProcessRollup2 to identify command-line executions and related process context. The detection looks for Azure CLI processes and command lines containing ad and user actions, then surfaces metadata including user, destination host, parent process, process name/path, and process integrity. While legitimate administrative use is expected, anomalous execution patterns, unfamiliar or newly created users, or unusual parent processes should be treated as potential compromises and investigated promptly. The rule supports drilldown views of specific user/destination activity and risk event timelines, and aligns with MITRE techniques related to account creation, persistence, and discovery.