This detection rule identifies unusual spikes in Okta group privilege change events through machine learning analysis. Such anomalies may indicate attempted privilege escalation by attackers, potentially allowing them to gain unauthorized access to sensitive resources by adding themselves or compromised accounts to high-privilege groups. The detection relies on logs collected from the Privileged Access Detection integration and Okta, and it works by monitoring these events for significant deviations from normal activity patterns. The rule is set to trigger when the anomaly threshold score exceeds 75, with a focus on a rolling 3-hour period analyzed every 15 minutes. The detection is crucial for early threat detection and facilitating prompt response actions to thwart privilege escalation attacks.