This detection rule monitors for the creation or deletion of user accounts within MongoDB organizations. It is designed to catch any significant changes to user accounts, which could indicate potential security incidents such as account takeover or unauthorized access. Users may be created or removed through legitimate administrative actions, but these events could also suggest malicious activity if not properly vetted. To achieve this, the rule looks for specific event types logged by MongoDB, focusing particularly on `JOINED_ORG` and `REMOVED_FROM_ORG` events, which signify user additions and removals, respectively. The detection logic is configured to trigger based on these event logs within a specified period, helping to maintain oversight of user management activities. The rule operates at medium severity, advising analysts to investigate upon detection. The MongoDB Organization Events log type is used to ascertain user modifications and facilitate proper monitoring, ensuring compliance and security within the database environment.