The detection rule Snyk.Role.Change is designed to identify modifications to user roles within the Snyk platform, specifically monitoring changes that may elevate access levels or modify permissions. The rule is particularly focused on the ADMIN role which indicates critical severity when changed. Two principal log types are tracked: Snyk.GroupAudit and Snyk.OrgAudit. When a ServiceAccount's role transitions from a lower level (like MEMBER) to ADMIN, it generates a high-priority alert. Conversely, downgrades are considered medium severity, reflecting potential changes in access control that may have security implications. The rule automatically deduplicates alerts for a period of 60 minutes to avoid overwhelming notifications on repeated events. Key events such as user role modifications are captured under specific criteria to ensure relevant detections without false positives. For complete understanding and deeper insights on this feature, reference can be made to the Snyk documentation on managing user roles. The outcome of the detection rule is determined based on specified log structures and expected results from defined test cases.