This detection rule identifies instances where a new federated domain has been added to the Exchange service within an Microsoft 365 environment. Specifically, it captures events generated by the successful execution of the `Add-FederatedDomain` operation. The significance of this rule lies in its potential to highlight unusual activities related to federated identity management. While the legitimate creation of federated domains can be a standard administrative task, it also poses risks as such actions could indicate attempts at federated credential abuse or the establishment of unauthorized access points via backdoored identities in cloud environments. Thus, monitoring these events is critical for maintaining the security posture of the organization against identity-related threats.