This detection rule identifies when a new owner is added to a Service Principal in Azure Active Directory (AD). Service Principals are non-human agents often used by applications to access resources in Azure. They do not support multi-factor authentication, making them vulnerable to misuse and potential privilege escalation. The rule makes use of Azure AD's AuditLog category events, specifically tracking the 'Add owner to application' operation. When a new owner is assigned, particularly if done by someone other than the owner being added, it raises an alert for review. This signifies possible manipulation of access permissions, which could lead to unauthorized access or persistence by malicious actors.