This detection rule focuses on monitoring and identifying incidents where a new custom domain is added within an Azure Active Directory (AD) tenant. It utilizes logs from Azure AD Audit Logs to detect successful operations specifically named 'Add unverified domain'. This action is critical to monitor, as it can signify potential malicious activities such as an attacker trying to set up a domain to impersonate legitimate users or create identity federation backdoors. Such intrusions could facilitate unauthorized access and privilege escalation, jeopardizing the security of the Azure AD environment by allowing attackers prolonged access to sensitive resources. The detection operates by searching for successful domain addition events and features drilldown capabilities to analyze user-specific event data and recent associated risk events. The rule also includes guidance for implementation and known false positives, considering that organizations typically add new domains infrequently.