This detection rule identifies the creation of new service principals in Azure environments. Service principals are critical as they provide an identity for applications or automated tools to access and manage resources on Azure. The detection logic is specifically tailored to monitor Azure Activity Logs for events related to the addition of service principals, sifting through various attributes like user identity, resource access, and permissions. The focus on APT29 suggests that this rule addresses sophisticated attack vectors where adversaries might exploit service principals for persistent access or further manipulations. The rule utilizes Splunk’s querying capabilities to log relevant data, making it easier for security teams to visualize potential threats linked to unauthorized creation of service principals, thus ensuring timely detection and response to possible intrusions or account manipulations.