The detection rule "Panther SAML configuration has been modified" monitors changes made to the SAML configuration of Panther, specifically targeting unauthorized modifications that could indicate defense evasion activities. When a user performs an update to the SAML settings, this rule checks for successful log entries that meet the specified criteria. The key indicators of compromise are based on the logs generated under the Panther.Audit log type. The rule is activated when an update to the SAML configuration is recorded, signifying potential changes made by an administrator. Given the sensitivity of SAML configurations, any unauthorized modifications could severely impair the security posture of the system, making this a high-priority rule. This rule also includes a validation step to ensure instances of SAML settings viewed do not align with expected behaviors, thereby adhering to the principle of least privilege. If such modifications are detected, administrators are prompted to verify if the changes were authorized, maintaining a controlled environment.