Detects potential Okta AD Agent token theft and credential abuse using statistical z-score analysis. It relies on a per-user baseline (90 days) of AD Agent authentication patterns and computes z-scores for hourly authentication volume, IP diversity, country diversity, and device diversity over the last 7 days. The rule triggers only when both a volume spike (z-score > 3) and a diversity spike (z-score > 2) are observed, indicating simultaneous unusual usage from multiple locations or devices. Prerequisites include running the Baseline Builder to populate okta_ad_agent_baseline_90d and allowing 24 hours for initial baseline population. Detection emphasizes the combination of high activity and geographic/IP diversity to differentiate token abuse from normal spikes. It complements the behavioral token abuse detector (Okta.ADAgent.TokenAbuse.Behavioral) by focusing on the authentication activity pattern itself rather than administrative actions. The rule is scheduled (Query.Okta.ADAgentAuthZScoreAnomaly) and uses a dedup window of 360 minutes to prevent alert fatigue. Runbook steps guide validation: compare recent activity against baseline means, examine geographic anomalies in a 7-day window around first_anomaly_hour, and correlate with Okta SystemLog events (system.api_token.create, system.agent.ad.agent_instance_added) and prior Okta.ADAgent.TokenAbuse.Behavioral alerts for the user. The detection is mapped to MITRE ATT&CK techniques TA0006:T1528, TA0006:T1110, and TA0001:T1078. The rule includes test scenarios illustrating high-volume/high-diversity anomalies, cold-start cases, and malformed or missing data to ensure robust handling.