This detection rule focuses on monitoring modifications to Active Directory (AD) object ownership through Windows Security Event ID 5136. Changes in ownership can confer full control over an AD object, making this event critical for auditing and identifying potential malicious activity that may involve hiding or manipulating AD objects. The rule utilizes Splunk's query language to extract relevant attributes indicating both the previous and new owners of an AD object using regex extraction. By employing additional lookup tables for SID resolution and group identification, it provides clarity on the users or groups involved. The detection strategy aims to capture any unauthorized ownership changes, which can serve as precursors to security incidents, enabling organizations to respond quickly to potentially malicious configuration changes.