This detection rule monitors for changes to policies within Azure's Audit Logs. It focuses on identifying unauthorized or unexpected modifications, such as the deletion, update, or addition of policies that could affect the security posture of an Azure tenant. When policy changes are detected, the rule provides details about the user who initiated the change, the type of operation carried out, the affected resource, and whether the change was successful. Each detected policy change is evaluated based on its category and logged for further analysis. The prescribed response involves verifying the authorization of the change and potentially reverting it if found unauthorized. Additionally, the rule incorporates elements from the MITRE ATT&CK framework to align with broader threat detection strategies.