This rule detects instances when a user is granted admin privileges (owner role) within a GitHub organization, which can pose significant security risks if unauthorized. The detection focuses on audit logs where a change to the 'admin' role occurs, signaling potential malicious activity, such as compromise or privilege escalation. Given that the owner role provides access to critical settings and data, such actions should be scrutinized to ascertain their legitimacy. The rule includes comprehensive investigation guidelines for examining alerts, addressing false positives, and implementing security responses. These recommendations help mitigate potential risks from unauthorized access to sensitive organizational data.