The analytic rule detects changes made to the SourceAnchor (ImmutableId) of Azure Active Directory (AD) users via audit logs. This attribute is pivotal for identity federation, and its modification often indicates an attempt to create a backdoor for unauthorized access. The detection focuses on the "Update user" operation within Azure AD logs and tracks when the SourceAnchor attribute has been altered. Cultivating a keen insight into these changes can significantly bolster security against potential attacks leveraging this vulnerability. If a modification is detected, it could lead to impersonation of the affected user, circumventing traditional authentication methods such as passwords and multi-factor authentication (MFA). Effective monitoring and investigation of such events are crucial to mitigate risks of data breaches.