This detection rule is designed to identify the addition of a new Federated Domain in a Microsoft 365 environment. The rule focuses on specific operations where the system logs indicate that an action contains the keywords 'domain', 'add', or 'new'. This is particularly relevant in scenarios where federated domains could potentially be abused for credential harvesting or unauthorized access, especially in environments that integrate multiple cloud services. While the mere event of adding a federated domain isn't inherently malicious, it requires scrutiny as it may signal misuse of identity management features. The detection utilizes the audit logs from Microsoft 365, ensuring that operations leading to domain creation are monitored continuously. It is essential for organizations to remain vigilant of these events, correlating them with other security alarm patterns to gauge whether they indicate a larger security incident.