This detection rule is designed to monitor the addition of members to an organization within an Auth0 environment, which can be a critical indicator of unauthorized or malicious activity. By specifically tracking events denoted as "organization_member_added" or "Successfully added member to organization", this rule helps in identifying potential attempts to establish persistence by unauthorized individuals. The Splunk logic utilized filters through authentication logs and compiles a table with essential data points that can aid in the investigation of unexpected membership changes. Data collected includes timestamps, user information, geographic location, and source IP addresses, all of which offer valuable insights during audits of organizational security practices. This detection corresponds to the MITRE ATT&CK technique for account manipulation, providing context to the relevance and utility of the monitoring process in maintaining the integrity of organizational access controls.