This detection rule aims to identify potential misuse of the Azure Packet Capture feature within Azure Network Watcher, which is designed to inspect network traffic. Packet Capture can be exploited by adversaries to access unencrypted sensitive data traversing the network, such as credentials. The rule monitors Azure activity logs for operations related to initiating packet captures and assesses if these activities are associated with legitimate users or unusual behavior. False positives may arise from authorized personnel performing diagnostic actions or automated systems executing normal operations. The investigation guide outlines recommended steps to validate the legitimacy of detected packet captures, including reviewing relevant logs, assessing impacted IP addresses, and contacting responsible users for clarification. In case of a potential security incident, immediate isolation of affected network segments and revocation of unauthorized access are recommended remediation actions. The rule utilizes KQL to query specified Azure activity logs for successful packet capture operations, focusing on specific operational names within the Azure resource provider framework.