Auditing security rules is relatively simple. In essence, you define the target resource you wish to audit and an optional user filter, in case you don't want to retrieve the full set of users. On top of that, you can also define the environmental context of the audit—QMC or hub, that is: