This detection rule focuses on monitoring changes to the sign-in methods of Zoom accounts within an organization. The rule is triggered when a user modifies their sign-in methods, specifically allowing users to sign in using third-party authentication options such as Google or Apple ID. The aim is to ensure that such modifications are legitimate and authorized, as unauthorized changes could indicate security issues such as account compromise or policy violations. The rule logs relevant details such as the action taken, the type of operation (account update), the individual making the change, and the timestamp of the event. It has a medium severity level, indicating a noteworthy change that should be reviewed promptly, but does not require immediate escalation unless other suspicious behavior is detected. The rule also highlights a specific log statement indicating when an automatic sign-out feature was disabled, which is marked as a non-compliant action. The defined tests check for expected results of specific updates to the sign-in methods, ensuring that organizations can verify whether changes are allowed and authorized.