This detection rule identifies when a new service principal is added within Azure. A service principal is an identity created for applications, hosted services, or automated tools to interact with Azure resources. Using service principals is recommended for automated tools for enhanced security, mitigating the need for direct user login. The rule is structured to query Azure audit logs for events related to the operation "Add service principal" with a successful outcome. Its implementation is critical as it helps detect potential unauthorized creation of service principals, which can be leveraged by attackers to impersonate legitimate applications. As part of the triage process, security analysts are advised to investigate associated user activities, check for unusual source IPs, and review the timing of actions. If the rule produces false positives due to normal operational activity, exceptions can be created to account for known benign actions. The rule is part of an identity and access audit strategy, aiding in the prevention of abuse of service principals in cloud environments.