This detection rule identifies an attempt by an attacker, logged in as a low-privileged user, to add a new secret to an Azure Service Principal. The action can lead to unauthorized access if the attacker subsequently logs into Azure PowerShell as that service principal. The rule leverages cloud activity logs, particularly focusing on PowerShell commands related to Azure Active Directory (Azure AD) credential management, specifically the execution of the 'New-AzADAppCredential' command. By examining these logs, the detection can capture successful secret additions and flag them as potentially malicious activities, particularly in context with known threat actors such as APT29, also known as Nobelium or Cozy Bear, as well as Storm-1283. This insight is critical as it links standard operational changes in Azure to potentially escalated threats, reinforcing the need for vigilance in Azure environments.