This rule is designed to detect when new or modified credentials are added to a service principal or an application within Azure. Adversaries may target this area to gain unauthorized access by authenticating as an application. The detection logic uses Azure activity logs to look for events associated with adding service principal credentials or managing certificates and secrets. Several regular expressions (regex) are employed to extract relevant pieces of data, including the old and new key values and their associated attributes, such as `keyidentifier`, `keytype`, and `keyusage`. The rule emphasizes ensuring that any old key identifier does not match the new key identifier, which is indicative of a potentially malicious change. The output includes comprehensive fields relevant to the event, such as timestamps, user accounts, source IPs, and more, providing valuable context for investigations.