The detection rule titled "New GitHub Owner Added" is designed to identify when a new owner is added to a GitHub organization, a role that offers significant administrative privileges. Such actions may indicate unauthorized account access or potential compromises within an organization, necessitating thorough investigation. The rule operates on audit logs specifically filtering for events where the action is 'org.add_member' and the permission level reflects 'admin'. It is set to monitor any changes made in the past nine months, emphasizing the importance of continuous surveillance over sensitive roles. The investigation guide, part of the rule, details steps to validate the legitimacy of the newly added owner, including checking audit logs, verifying with HR or user management systems, and assessing user activity following the addition. A robust response plan is also outlined, advising the immediate revocation of privileges if unauthorized access is confirmed and encouraging the practice of enhanced monitoring for future owner role changes. This rule contributes to maintaining organizational security by flagging potentially harmful alterations in user roles within GitHub. It is classified under the 'Persistence' tactic within the MITRE ATT&CK framework, linking to broader threat scenarios involving account manipulation.