The Azure External Invite detection rule is designed to identify potentially malicious activities related to the invitation of external users into an Azure Active Directory (AD) environment. This capability allows organizations to collaborate by inviting users from outside their organization as guest accounts. However, adversaries can exploit this feature to create secondary persistence mechanisms or legitimate accounts that facilitate unauthorized access. The detection logic utilizes Splunk queries to aggregate and analyze Azure activity logs, focusing specifically on events tied to external user invitations. The primary fields extracted during the analysis include the invited user's email, associated account details, and relevant metadata, which are then organized by timestamp. This rule is crucial for maintaining oversight on identity management practices and ensuring any unauthorized account creation is detected promptly.