This rule detects when new credentials, such as certificates or secret strings, are added to an Azure application. Such modifications can be made by legitimate users or adversaries to evade security measures or to maintain unauthorized access within cloud infrastructure. The rule queries the Azure audit logs for operations that update application credentials, specifically targeting successful updates of certificates and secrets management. It is crucial for identifying unauthorized actions that could indicate potential security threats. The monitoring is executed on the Azure audit logs via the query: 'event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update application - Certificates and secrets management" and event.outcome:(success or Success)'. False positives may arise from legitimate credential updates by system administrators, so it is recommended to verify the legitimacy of the changes and investigate unfamiliar activities.