LoFP / network security configuration modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.

condition: selection
selection:
  operationName:
  - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WRITE
  - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/DELETE
  - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/WRITE
  - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/DELETE
  - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/JOIN/ACTION
  - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/PROVIDERS/MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/WRITE