Detects when a new SharePoint Site Administrator is added in Microsoft 365 by analyzing o365.audit events. The SiteCollectionAdminAdded action elevates a user to Site Administrator, granting full permissions across a SharePoint site. Compromised privileged accounts may abuse this to maintain persistence, access sensitive data, and facilitate data exfiltration or deployment of ransomware (as observed in 0mega). The rule looks for event.dataset:o365.audit with provider SharePoint or OneDrive, category web, action SiteCollectionAdminAdded, outcome: success. It uses fields like user.id (actor), ModifiedProperties.SiteAdmin.NewValue (target admin), SiteUrl or url.original (site targeted), and TargetUserOrGroupName/Type for context. Investigate by correlating sign-in activity for the acting account, reviewing subsequent actions by the new admin (downloads, sharing, permission changes), and auditing Site Administrators across sites. Consider false positives like routine admin changes, automated provisioning, or reorganizations. Remediation includes removing unauthorized admin, credential rotation, MFA, auditing admin lists, and implementing PAM/PIM for just-in-time elevation.