This high-severity, experimental scheduled rule detects off-hours credential access for Okta SWA by profiling admin login/credential usage over a 90-day baseline and evaluating recent activity (7 days) for anomalous temporal patterns. It uses z-score analysis on several time-based signals: off-hours access (ratio spike > 3σ above baseline), late-night access (2 AM–6 AM) ratio spike (> 2σ), and weekend access ratio spike (> 2σ). The rule also flags cold-start events when there is no prior baseline (e.g., first-time off-hours access: ≥3 events; first-time late-night access: ≥2 events; first-time weekend access: ≥2 events). A geographic-shift signal (location anomaly) can combine with off-hours activity to produce a high-confidence alert. The detection leverages Okta SystemLog data (e.g., application.user_membership changes and related authentication events) to model temporal access patterns for each admin. It is designed to complement Okta.SWA.BulkAccess.Behavioral by adding a temporal pattern dimension to credential access detection rather than solely monitoring event volume. MITRE ATT&CK mappings include TA0006:T1555 (Credentials from Password Stores) and TA0001:T1078 (Valid Accounts). Runbooks emphasize validating geographic anomalies against recent IP/geolocation data and cross-checking with other Okta signals like MFA-bypass or session anomalies. The rule is intended to quickly surface credential abuse during off-hours, which attackers often favor to avoid user disruption and detection.