This detection rule focuses on monitoring the creation or updating of Azure Active Directory Hybrid Health AD FS server instances by examining Azure Activity logs, specifically those categorized under 'Administrative' actions. The rule is designed to detect unapproved server instances that could indicate a malicious actor attempting to spoof Active Directory Federation Services (AD FS) signing logs. Normally, a threat actor might try to set up a fake server without needing to compromise an existing on-premises AD FS server. This can be accomplished via simple HTTP requests directed towards Azure, which makes this detection critically important in preventing unauthorized access to cloud-based resources. The rule defines specific conditions using parameters such as the resource provider and operation names to accurately identify potential threats while considering legitimate instances as potential false positives. As such, it plays a vital role in maintaining the integrity of Azure AD Hybrid Health and ensuring that only valid server instances are in use.