diff --git a/.gitignore b/.gitignore
index 00a055620..d324b0006 100644
--- a/.gitignore
+++ b/.gitignore
@@ -57,6 +57,9 @@ local_settings.py
 instance/
 .webassets-cache
 
+# MacOS Finder
+.DS_Store
+
 # Scrapy stuff:
 .scrapy
 
diff --git a/rules/cloud/azure/azure_app_credential_added.yml b/rules/cloud/azure/azure_app_credential_added.yml
new file mode 100644
index 000000000..0942ad419
--- /dev/null
+++ b/rules/cloud/azure/azure_app_credential_added.yml
@@ -0,0 +1,23 @@
+title: Added Credentials to Existing Application
+id: cbb67ecc-fb70-4467-9350-c910bdf7c628
+description: Detects when a new credential is added to an existing applcation. Any additional credentials added outside of expected processes could be a malicious actor using those credentials.  
+author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
+date: 2022/05/26
+references:
+  - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-credentials
+logsource:
+  product: azure
+  service: auditlogs
+detection:
+  selection:
+    properties.message: 
+      - Update Application-Certificates and secrets management
+      - Update Service principal/Update Application
+  condition: selection
+falsepositives:
+  - When credentials are added/removed as part of the normal working hours/workflows
+level: high
+status: experimental
+tags: 
+  - attack.t1098
+  - attack.persistence