This detection rule identifies anomalous behavior in Azure Active Directory where a single user creates more than three unique OAuth applications within a 10-minute window. The rule monitors the 'Add service principal' operation and utilizes a 10-minute data aggregation. Such rapid creation of multiple service principals is a significant indicator of potential malicious activity, likely related to an adversary attempting to gain unauthorized access or establish persistence within an enterprise's Azure environment. If an attack is confirmed, it could lead to privilege escalation or the compromise of sensitive data. The rule includes specific search queries to filter Azure AD logs and detects this phenomenon to facilitate swift incident response and investigation.