This detection rule is intended for monitoring activities related to the creation or modification of Azure virtual machines (VMs) within a Microsoft Azure account, providing insights into changes that might indicate unauthorized activities. The rule leverages Azure activity logs and uses a Splunk query to capture events labeled as "Microsoft.Compute/virtualMachines/write" with a status of 'Succeeded'. By analyzing this data, the detection rule assists in identifying instances where VMs are created or modified, thereby enhancing threat detection capabilities. The logic aggregates the relevant event attributes such as timestamps, user information, source IP addresses, roles, and action details, allowing security teams to flag potentially nefarious changes based on specific patterns associated with threat actors, particularly those linked to techniques for defense evasion and persistence. This proactive monitoring can significantly reduce the mean time to detect unauthorized actions involving critical cloud infrastructure, aiding in ensuring the integrity of cloud resources.