This detection rule focuses on monitoring actions related to setting a default Azure subscription using the Azure PowerShell command `Set-AzContext`. This command is crucial in scenarios where tenants manage multiple Azure subscriptions, as it specifies which subscription will be used as the default for subsequent Azure operations. The rule leverages the `get_cloud_data` function to query relevant cloud data logs that capture the execution of the `Set-AzContext` command. The outputs are then organized into a structured format using a table to show key attributes such as the time of the event, user information, source IP, and the specific Azure subscription action taken. The rule aims to detect potential account manipulation activities, which could indicate attempts to establish persistence or misuse of privileges within an Azure environment. By capturing and analyzing these events, security teams can better understand user actions and respond to any suspicious behavior promptly.