This detection rule is designed to identify the execution of AADInternals PowerShell cmdlets, which are specific commands related to managing Azure Active Directory (AAD) and Office 365 environments. AADInternals is a powerful tool used by IT administrators for legitimate purposes; however, it can also be misused by threat actors to conduct reconnaissance, escalate privileges or perform credential theft against Azure AD and Office 365 environments. The detection relies on monitoring Script Block Logging for specific cmdlets. The rule activates if any of the designated cmdlet names appear in script block logs, which indicates that script execution is occurring that could correspond to unauthorized administrative actions or attacks against the Azure environment. The inclusion of a variety of cmdlet functions allows for thorough coverage of potential malicious activities, making the detection effective against both targeted attacks and broad exploitation attempts.