Microsoft Intune is a cloud-based service that helps organizations manage and secure their devices and applications. Administrators utilize Intune configuration policies to enforce settings on managed devices remotely. This rule detects the creation of new device management configuration policies, which is crucial for monitoring changes that could potentially lead to evasion of security measures if misused by malicious actors. Each time a new policy is established, the Azure Monitor Activity logs an operation that can be queried to identify unauthorized changes. The search query contains parsing and renaming operations to simplify the resultant data presentation, helping security teams quickly assess policy changes and the involved entities.