This rule monitors for sign-in events using third-party Identity Providers (IdPs) in Okta, which may indicate an impersonation or fraud scenario. Attackers configure malicious IdPs to impersonate legitimate users and gain unauthorized access to applications within an organization. In this specific detection, critical events are captured from Okta's system log, focusing on authentication attempts that could stem from unauthorized IdP use. The rule is designed to trigger on successful logins initiated through an unauthorized IdP, allowing response teams to investigate further and mitigate potential impersonation risks. Please note that organizations using legitimate third-party IdPs should not utilize this rule to avoid false positives.