The "Slack Service Owner Transferred" rule aims to identify and monitor the transfer of service ownership within Slack workspaces. This transfer can occur when a primary owner requests to designate another user as the service owner. The rule is triggered by an action logged as 'service_owner_transferred' within Slack audit logs, indicating that ownership has successfully changed. Additionally, the rule analyzes contextual data such as the actor's details (the user initiating the transfer), their IP address, the location of the workspace, and the user agent string. The conditions specify that if a service owner is transferred, the expected log entry should match specific attributes, ensuring it accurately identifies the event of owner transfer. Other considerations include filtering out log entries related to user logout events to prevent false positives. Given its critical severity level, the detection of improper ownership transfers can signal potential account manipulation and should be promptly investigated. This rule incorporates several MITRE ATT&CK tactics, including defense evasion strategies and persistence mechanisms, highlighting the potential risk of unauthorized changes to account permissions and access controls.