This detection rule identifies when a user is added as an owner to an Azure application, which can indicate potential unauthorized privilege escalation by an adversary. The rule monitors audit logs for events where an application owner is added, focusing on ensuring the legitimacy of the operation and the accounts involved. Investigating this type of alert involves reviewing Azure audit logs for specific operations, assessing the legitimacy of the user accounts, and confirming with the original application owner if the action was authorized. False positives can occur during routine IT activities, automated processes, organizational changes, or development/testing environments, but samples of legitimate actions can be excluded to fine-tune the detection. If unauthorized access is confirmed, rapid remediation actions such as revoking permissions and conducting thorough log reviews are critical.