This detection rule monitors for the assignment of new management roles within Office 365 environments. The rule uses Splunk queries to identify events where new roles are designated to users in a management group, potentially indicating adversarial activity aimed at achieving persistence within the environment. The indicators of interest include the user, role assigned, timing of the assignment, and related metadata such as the source IP address and user agent, suggesting unauthorized access or privilege escalation. Given the association with the threat actor group Lapsus$, such changes might be leveraged by attackers to maintain control over compromised accounts or manage their malicious actions more effectively. The rule aggregates data from Office 365 audit logs, utilizing the `get_cloud_data` and `get_cloud_data_o365` functions to pull relevant event details. An essential aspect of this detection mechanism is to ensure that alerting mechanisms are in place to notify security teams of any suspicious role assignments, which could reveal exploitation of user accounts or identity management weaknesses.