This detection rule is designed to identify instances when a user from a different organization is added to the VMware Carbon Black environment, which can indicate a potential security threat or breach of policy. The rule leverages audit logs from Carbon Black and triggers an alert upon detecting such activity. It is particularly focused on capturing unauthorized account creations and user management actions that could undermine the integrity of the organizational security infrastructure. The rule operates with a high severity rating, reflecting the critical nature of unauthorized access attempts. The implementation requires specific log formats, where the inclusion of external email addresses in user addition logs is flagged. To ensure efficient monitoring, the rule incorporates a threshold of one occurrence within a periodic de-duplication period of 60 minutes. Additionally, it aligns with the MITRE ATT&CK framework under the technique TA0003:T1136, helping users understand the context and relevance of this detection in broader threat scenarios.