The Wiz Rule Change detection rule monitors the creation, update, and deletion of Wiz rules, providing alerts for any unauthorized or unintended changes. This rule is crucial for maintaining the integrity and security of the runtime configuration within the Wiz environment. The detection focuses on actions logged under 'Wiz.Audit', utilizing an array of test cases to evaluate successful and unsuccessful rule changes. When a change is detected, the runbook advises verifying whether this change was pre-approved. If the change was unplanned, it is important to revert the alteration to prevent future occurrences, which may involve reviewing the privileges assigned to user accounts. The rule applies a medium severity level due to the potential impact of unauthorized changes. Additionally, it utilizes a deduplication period of 60 minutes and is designed to trigger for any single instance of rule change, ensuring prompt administrator attention. The integration with the MITRE ATT&CK framework allows for better categorization and understanding of strategies leveraged by potential threats related to configuration changes, specifically under tactics encompassing privilege escalation.