This detection rule monitors the creation of a new Identity Provider (IdP) within the Okta environment, specifically when performed by a Super Administrator or Organization Administrator. When a new IdP is added, it triggers an event that this rule captures, ensuring that such actions can be audited and investigated. The rule utilizes KQL (Kibana Query Language) to filter specific events in the Okta logs where the outcome indicates success for an IdP creation. Key fields to examine during analysis include those related to the actor initiating the creation, their device information, and historical actions associated with the actor, which can help evaluate the legitimacy of the action. Potential false positives could arise if the IdP addition was part of authorized plans or practices. If unauthorized activity is suspected, immediate measures such as deactivating the IdP or associated accounts are advised to mitigate risk.