This detection rule identifies the addition of new Service Principal credentials in Azure, which is a significant security concern as this action is normally infrequent in most organizations. Unauthorized addition of credentials allows attackers to gain access to resources while bypassing Multi-Factor Authentication (MFA) requirements, thereby enhancing the risk of data breaches. The rule operates by monitoring the Azure audit logs, specifically looking for instances where service principal credentials are added successfully. This capability is vital, considering that service principals serve as application identities with specific permissions, and any unauthorized modifications could lead to exploitation and unauthorized access to sensitive information. To enhance the accuracy of the detection, it is important to follow up on audit logs to verify the legitimacy of the source for credential additions, as well as correlated suspicious activities across the environment.