This detection rule aims to identify instances where an account is attempting to dump the Local Administrator Password Solution (LAPS) credential from Microsoft's Entra ID. The rule monitors audit logs from Azure for specific activities that indicate the successful recovery of local credentials associated with devices. In particular, it flags activities that fall under the category of 'Device' and where the activity type includes phrases such as 'Recover device local administrator password'. The detection is contingent on correlating these events with specific additional details indicating successful retrieval of local credentials by device ID. False positives could occur when an approved activity is conducted by an Administrator.