NSG Changesby Userand Resource
Query
//NSG Changes by Resource and Who did it
AzureActivity
| where parse_json(Authorization).action == "Microsoft.Network/networkSecurityGroups/securityRules/write" and ActivityStatus == "Succeeded"
| distinct Resource, CallerExplanation
This query retrieves information about changes made to network security groups (NSGs) in Azure. It filters for successful write actions on security rules within NSGs and returns the distinct resources and the individuals who made the changes.
Details

Rod Trent
Released: December 10, 2020
Tables
AzureActivity
Keywords
AzureActivityAuthorizationMicrosoft.Network/networkSecurityGroups/securityRules/writeActivityStatusSucceededResourceCaller
Operators
whereparse_json==andActivityStatusdistinct