This detection rule monitors MongoDB organization events for instances when an external user is invited. It identifies events labeled 'INVITED_TO_ORG' and checks the provided log data to determine if the invited user is internal (e.g., insider@company.com) or external (e.g., outsider@other.com) to the organization. The rule configures a high severity level for such events due to the potential risks associated with unauthorized access or configuration changes by external parties. With a deduplication period of 60 minutes, this rule helps prevent repeated alerts for the same event.