This detection rule identifies modifications or deletions of Network Security Group (NSG) configurations in Azure environments. The detection captures significant activities such as changes to NSG settings, modifications of security rules, associations of NSGs with subnets, and alterations to diagnostic settings. The rationale for monitoring these operations stems from the potential risks they pose, including defense evasion, persistence strategies employed by threat actors, and preparation for data exfiltration. By analyzing logged operations, security teams can track unusual patterns of activity that may indicate malicious behavior. Recommendations include reviewing nearby administrative actions by a particular caller IP to determine if the changes were part of a coordinated attack or misconfiguration.