a new cloudshell may be created by a system administrator.

source: <a href=https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/azure/activity_logs/azure_new_cloudshell_created.yml>sigma
technicques: t1059

Techniques

Identifies when a new cloudshell is created inside of Azure portal.

condition: selection
selection:
  operationName: MICROSOFT.PORTAL/CONSOLES/WRITE