This detection rule monitors for changes in the configuration settings of MongoDB Atlas organizations, specifically focusing on the IP access list for the Atlas Administration API. When the IP access list is enabled, all API calls associated with the organization must come from a valid IP entry in the access list. The rule, identified as 'MongoDB org membership restriction disabled', alerts when this configuration is disabled, potentially exposing the organization to unauthorized API access. The rule includes tests to verify whether the access list is required or not and logs the event, including user and organizational details, for further investigation. If triggered, it suggests a runbook action to confirm the legitimacy of the change and to re-enable the access list if found unauthorized.