This detection rule identifies when a user is added as an owner to an Azure service principal, which may indicate malicious activity. A service principal provides an application with the permissions needed to access resources in an Azure tenant, and an adversary could exploit this by adding themselves or another user as an owner to control access and permissions. The rule queries Azure audit logs to monitor successful operations related to adding owners to service principals. The investigation process involves reviewing the specific log entries, confirming the legitimacy of changes, and taking action against unauthorized changes to maintain security. The rule emphasizes proper incident response, including revocation of unauthorized changes and enhancement of monitoring for such activities.