This detection rule monitors changes to identity provider (IDP) settings in MongoDB environments. Modifications to IDP configurations are considered privileged activities and are critical points of interest during security audits. Attackers may manipulate these settings to establish persistence within environments, which can lead to unauthorized access or identity theft. The rule employs specific log events such as 'FEDERATION_SETTINGS_CREATED' and 'IDENTITY_PROVIDER_CREATED' to identify potential malicious activities. The configuration includes automated logging of these events and implements a deduplication mechanism to refine detection over a 60-minute cycle. Alerts generated from this rule require further review to determine if the changes were legitimate or indicative of a security breach, thereby supporting proactive incident response.