This analytic detection rule monitors for the addition of a new federated domain within an Office 365 environment, specifically looking for events logged as `Add-FederatedDomain` in the management activities. The rule leverages Splunk to filter Office 365 management activity logs by the Exchange Workload and identifies when operations related to adding domains occur. This action could signal unauthorized changes or compromises within the system, raising the risk of data breaches through backdoors or credential abuse by attackers. Implementing this rule necessitates Splunk’s Microsoft Office 365 Add-on, ensuring that management activity logs are appropriately ingested and correlated. Any alerts generated by this rule should trigger a thorough investigation into the added domain and other simultaneous suspicious activities for risk assessment and security fortification.