This detection rule identifies instances where users from designated company domains log in without utilizing SAML (Security Assertion Markup Language) for authentication. The detection is crucial as SAML is a robust security mechanism that allows enterprises to use identity providers for authenticating users against their corporate accounts. The absence of SAML in a login attempt raises significant security concerns, as it may imply a potential bypass of standard security protocols, often leading to unauthorized access. The rule is triggered when user login events are recorded in the Gravitational Teleport audit logs and the authentication method employed is not SAML, specifically when it defaults to more vulnerable methods such as local authentication. This rule is enabled, carries a high severity level, and operates on logs indicated by the specific code 'T1001I'. It is advised to monitor these logins closely as they could indicate security policy violations or potential breaches.