This detection rule monitors Azure Key Vault operations to identify unauthorized modifications or deletions. The rule triggers when specific Azure activity logs indicate changes to the Key Vault, specifically when a vault is created (WRITE), deleted (DELETE), or modified through access policies (WRITE). By analyzing these logs, this rule aims to detect potential credential access attacks as attackers may modify or eliminate vaults to hinder investigations or gain unauthorized access to sensitive information. False positives may arise from legitimate administrative actions; therefore, it's important to verify the user identity and history against normal operational patterns.