This detection rule monitors for instances where a user exceeds a threshold of 100 folder permission changes within a one-hour period. Such excessive changes can indicate unusual activity that may pertain to privilege escalation attempts or misuse of access controls, potentially leading to data exposure or unauthorized modifications. The rule is specifically designed for Box events and utilizes a de-duplication period of 60 minutes to filter out spurious alerts from repeated actions by the same user. In the event of a triggered alert, the associated runbook advises an investigation into the user's activity to determine if it aligns with expected behavior. This rule falls under the MITRE ATT&CK domain, particularly focusing on technique T1548 related to abuse of elevation control mechanisms.