This detection rule, titled 'MongoDB External User Invited', is designed to identify incidents where an external user has been invited to a MongoDB organization, which may indicate a potential security risk if not appropriately controlled. The rule specifically analyzes invitations sent from the MongoDB platform to check whether the invited user belongs to an approved list of domains. The primary indicators of an invitation event are monitored via logs generated by MongoDB's OrganizationEvent type. If an external email address, not matching the allowed domains, receives an invitation, the rule will trigger an alert. The log analysis is based on relevant attributes such as the target username and the event type 'INVITED_TO_ORG' recorded with a specific timestamp. It is crucial to maintain domain verification to safeguard against unauthorized external access, ensuring compliance with the organization's security policies. The rule also includes threshold settings to control the alerting sensitivity, alongside a deduplication period that helps reduce the number of alerts generated within a given timeframe.