This rule detects changes to Snyk Single Sign-On (SSO) settings within an organization. The detection relies on specific log events that indicate an SSO setting change has occurred, specifically looking for the 'group.sso.edit' event type. The rule has been designed to identify only the legitimate changes initiated by the Snyk support team, as noted in the documentation reference. Furthermore, it employs a deduplication period of 60 minutes, preventing the same event from generating multiple alerts within that timeframe. The importance of monitoring SSO settings arises from the potential security implications of unauthorized changes to user authentication mechanisms, which could lead to unauthorized access.