This detection rule identifies unusual retrieval operations of secrets, keys, or certificates from Azure Key Vault. It particularly focuses on cases where a user principal that has not been seen accessing the Key Vault within a specified timeframe (the last 9 months) attempts to perform these actions. The Azure Key Vault service is vital for securely managing sensitive information such as keys and secrets; thus, unauthorized access can pose a significant threat to data security. The rule monitors specific events related to retrieval actions, filtering by success outcomes, and capturing various actions related to secrets and certificates retrieval. Investigative steps are provided to determine the legitimacy of the activities with potential follow-up actions to mitigate risks associated with unauthorized access.