This detection rule is designed to identify activities performed by users who have been terminated in Azure Active Directory (Azure AD) but are still engaging with cloud services such as AWS or Salesforce. It specifically targets scenarios where these terminated users may still have non-terminated accounts that allow them to manage resources in other cloud platforms. The primary data source for this detection is the Security Compliance Center within Microsoft 365, and it relies on the events generated when these terminated accounts perform actions. The potential risk is significant as such activities can lead to unauthorized access and data breaches, highlighting the importance of monitoring and responding to such incidents. The rule uses a medium severity level to indicate the need for investigation when triggered.