This detection rule is designed to identify instances where an Azure Service Principal elevates its privileges by assigning itself to a new app role. The rule leverages Azure Active Directory audit logs to track operations related to the app role assignment. It specifically looks for operations that show a Service Principal successfully adding itself to an app role, which might indicate malicious behavior or misconfigurations in access management. The search utilizes specific property filtering to focus on successful operations initiated by the Service Principal and includes additional context about the roles and applications involved. The implementation requires the Splunk Add-on for Microsoft Cloud Services to ingest EntraID audit logs via Azure EventHub, making it essential for organizations using Splunk for monitoring and security analytics.