This detection rule identifies the creation of long-lived certificates within the Teleport system, which are typically expected to have a short lifespan. The default certificate period is set to one hour, and any certificates that exceed this timeframe trigger an alert. The analysis focuses on events where a certificate is created, verifying its expiration time against the default duration. The rule uses logs from the Teleport audit system to monitor for non-compliance with standard certificate issuance practices. A specific test checks instances where certificates are created for a period longer than one hour, flagging them as potential security concerns, as they might indicate abuse or improper configuration within the Teleport environment. The detection is classified as medium severity due to the potential implications of such long-lived credentials, which might lead to unauthorized access if exploited by malicious actors.