This detection rule identifies instances where a single service principal within an Office 365 (O365) environment creates more than three distinct OAuth applications in a 10 minute period, utilizing logs from the Unified Audit Log. By focusing on the 'Add service principal' operation in Azure Active Directory, the rule aims to flag potentially malicious activity, as multiple rapid creations of OAuth applications could indicate compromise or malicious intent by a service principal. Uncontrolled application proliferation could facilitate unauthorized access and lateral movement within the environment, elevating the security risks significantly. The rule leverages the Splunk platform for operational efficiency and visualization of detected threats.