This detection rule monitors the creation and modification of Org2Org applications within the Okta identity management system. An Org2Org application allows user identities to be pushed from one Okta organization to another, which can become a vector for account compromise if misused. The rule highlights a severe threat where a malicious actor, by creating or modifying an Org2Org application, could potentially impersonate a super administrator in a target organization through user mismatching. The rule utilizes Okta’s System Log for detection, focusing on specific events indicating creation or modification of Org2Org apps. Any such action from an unauthorized source or using anomalous context will trigger a high-severity alert.