This rule implements behavioral detection for Okta AD Agent token abuse. It monitors Okta SystemLog events related to AD agent activity (system.api_token.create, system.agent.ad.agent_instance_added, system.agent.ad.config_change_detected) and identifies anomalous usage patterns based on unseen IPs or unfamiliar user agents, rather than relying on fixed credential patterns. By correlating actorId, sourceIP, and userAgent, it spots token creation, agent registration, or configuration changes occurring from sources outside the established baseline. The detection is environment-adaptive and aims to catch compromised credentials or unauthorized token generation. It complements direct token-authentication anomalies by focusing on the prelude to abuse, not only the act of use. This approach helps detect persistence and credential theft paths that may bypass simple authorization checks. Complementary detection is encouraged via Okta.ADAgent.AuthenticationAnomaly.ZScore, which targets token usage patterns. The rule includes a practical runbook for containment and scope assessment, and is designed to be resilient to partial data (e.g., empty targets or missing optional fields).