This detection rule monitors for invitations of external guest users within Azure Active Directory (Azure AD). It utilizes Azure AD AuditLogs to identify events triggered by the operation 'Invite external user', which can indicate potential unauthorized access vulnerabilities if misused. When an external guest user is invited, this rule records details involving the type of action, who initiated it, and the result of the operation. The importance of this monitoring lies in the risk posed by allowing external users access to internal resources, which can lead to data breaches or further exploitation of the environment if attackers abuse this functionality. The detection rule is implemented using Splunk, emphasizing the importance of ingesting Azure AD events properly and leveraging the specific events captured in the AuditLogs. Filtering out legitimate administrative actions is necessary to reduce false positives.