The rule 'Teleport.LocalUserLoginWithoutMFA' identifies instances where local users log into the Gravitational Teleport system without Multi-Factor Authentication (MFA). It leverages audit logs generated by Teleport to detect unauthorized access events that do not follow the secure practice of requiring MFA verification. The rule is designed to alert security teams about potentially risky login behavior, classifying it with a high severity level to prioritize response. It uses specific events tagged under 'user.login' to determine whether MFA was employed during the authentication process. A successful local login without MFA is flagged, thus allowing organizations to maintain secure access to sensitive systems, especially in environments adhering to strict compliance requirements. This detection is kept current by deduplicating alert instances that occur within a specified time frame (60 minutes) to avoid alert fatigue. Furthermore, the rule provides a reference link for additional context on best practices for Teleport management, and it is vital in aligning with the MITRE ATT&CK framework, specifically noting the technique 'TA0001:T1078', which concerns 'Valid Accounts'.