This detection rule is designed to identify instances when new credentials are added to existing applications within an Azure environment. The rule is based on audit logs that capture credential management actions. Specifically, it monitors for messages that indicate updates to the application related to certificates and secrets management, or updates concerning service principals. Such additions could signify unauthorized attempts by malicious actors to gain access using these credentials. The rule flags any unexpected additions as potential threats, thereby enhancing the security posture by alerting administrators of these changes. Security teams can leverage this information to ascertain whether a legitimate process is occurring or if further investigation is warranted due to potential credential misuse.