This detection rule monitors the transfer of document or folder ownership in Dropbox, aiming to identify unauthorized or unexpected ownership changes. It operates by analyzing logs for sharing events where a team member transfers ownership of a shared folder to either another team member or an external user. The rule is triggered when such a transfer occurs, particularly if the new owner's email domain does not match trusted domains, warranting further investigation or alerting security personnel. The rule includes checks on actor details, the shared folder involved, and the context of the ownership transfer event. Given the sensitive nature of file ownership in collaborative environments like Dropbox, the rule is categorized as high severity to indicate the importance of monitoring these events for potential security risks and compliance enforcement.