This analytic rule monitors and detects the addition of new credentials for Service Principals within an Office 365 tenant using O365 audit logs. Specifically, it focuses on records related to credential modifications in the Azure Active Directory workload. Service Principals serve as application identities and their associated credentials enable applications to authenticate and perform actions on behalf of the application. Unauthorized modification or addition of these credentials can lead to significant security issues, including data breaches or abuse of application identities by attackers. The rule utilizes a specific search query that looks at the O365 management activity log, filtering events that indicate changes to client credentials for Service Principals. The implementation entails setting up the Splunk Microsoft Office 365 Add-on to ingest the relevant O365 management events.