The detection rule for 'Azure Service Principal Credentials Added' identifies the addition of new credentials, such as client secrets or certificates, to Microsoft Entra ID service principals or applications. Service principals are critical components in Azure, acting as identities for applications or services that access resources. The rule's main focus is on the potential risk posed by adversaries who may exploit compromised administrative credentials to add rogue credentials, thereby establishing persistent access and bypassing multifactor authentication (MFA). The implementation of the rule includes querying the Azure Audit logs to track all related activity before and after the credential addition. This is essential to ascertain whether the change was part of a broader campaign involving privilege escalations or unauthorized modifications. Additionally, verification with the organization's change management process and monitoring sign-in activity post-credential addition are recommended to prevent misuse or data exfiltration.