This detection rule identifies a potential security breach involving the extraction of cleartext user passwords from the Okta identity management platform via a System for Cross-domain Identity Management (SCIM) application. The rule is designed to monitor logs for specific events that indicate administrative actions related to password synchronization through a malicious SCIM application. If successful, a malicious actor could gain access to sensitive plaintext passwords, posing significant security risks to the organization. This rule examines authentication and lifecycle update events to detect unauthorized password extraction activities, marking alerts as high severity when such actions are logged.