This detection rule monitors the creation or modification of roles within the Teleport access management system. It specifically tracks events where a role is created or altered, which can indicate changes in user permissions or access controls. As roles define the level of access granted to users within a system, unauthorized modifications may pose a security risk, leading to elevated privileges for specific users that could be exploited for unauthorized access. The rule is enabled and configured to trigger on events logged by the Gravitational Teleport Audit system, logging the relevant attributes such as event type, user, name of the role, and a unique identifier for the event. Organizations are expected to validate the legitimacy of newly created or modified roles based on the extracted information, ensuring robust access controls are maintained.