This is a scheduled behavioral detection rule for Okta aimed at identifying potential skeleton key authentication bypass. It builds a 90-day per-admin baseline of two key facets: (1) policy changes that weaken authentication (e.g., requireFactor disabled, maxSessionLifetime shortened) and (2) enrollment of MFA factors by admins on behalf of users. The detector monitors the last 7 days for anomalous spikes relative to that baseline using z-scores, flagging two main patterns: (a) spikes in security-weakening policy changes (threshold > 2 standard deviations above baseline) and (b) spikes in admin-on-behalf-of MFA factor enrollments (threshold > 3 standard deviations above baseline). Cold-start signals are treated as high-confidence anomalies: first-time security weakening (no prior baseline) and first-time admin enrollments for other users. The intent is to capture the two-step skeleton key technique—weaken authentication controls and enroll attacker-controlled authenticators—while adapting to legitimate administrator workflows. The rule explicitly notes complementary detection with Okta.ADAgent.TokenAbuse.Behavioral for credential-theft scenarios. Data sources focus on Okta SystemLog events (policy updates and MFA factor activations) within a cloud-based Okta environment. The rule is labeled High severity and Experimental, with a 1440-minute dedup window to prevent alert duplication. Included runbooks guide investigators to verify policy-change events, validate enrollment legitimacy, and cross-check for prior privileged account compromises. MITRE ATT&CK mappings cite TA0005:T1556 and TA0003:T1098, aligning with defense evasion via credential manipulation and account manipulation. The design emphasizes behavioral baselining and anomaly detection that adapts to administrative workflows while aiming to catch both stages of a skeleton key attack and minimize false positives in legitimate admin activity.