The Tines SSO Settings detection rule is designed to monitor and identify any unauthorized changes made to the Single Sign-On (SSO) configuration settings within the Tines platform. The rule is set to a high severity level, indicating the potential impact of such changes on organizational security. The rule checks for specific log entries related to SSO configuration operations, especially the SsoConfigurationSamlSet operation, to determine if an unauthorized change has been attempted. If the SSO settings are modified, the system generates an alert based on the gathered logs, emphasizing critical attributes such as user_id, operation_name, tenant_id, and request_ip. The reference documentation provides additional context and guidelines on managing SSO within Tines, highlighting best practices for securing identity and access management (IAM). Additionally, the rule includes a deduplication period to prevent duplicate alerts for repeated changes within a specified timeframe.