Detects Okta SWA Bulk Access, New Source, and Credential Extraction using behavioral baselining and novelty detection. For each admin with SWA access, the rule builds a 90-day baseline of SWA activity, credential changes, and known source IPs/user agents, then analyzes the most recent 7 days for anomalous activity indicative of credential extraction across multiple apps. Detection relies on z-scores for multiple signals, plus cold-start and new-source indicators. Core signals include: (1) SWA authentication volume spike (>3σ above baseline), (2) diversity of accessed SWA apps spike (>3σ), (3) credential extraction volume spike (>3σ), and (4) victim diversity spike (credential changes across many users) (>2σ). Cold-start conditions trigger on first-time bulk SWA access (≥10 events with no baseline) and first-time credential extraction (≥5 extractions with no baseline). Addition of new sources includes IP addresses or user agents not seen in 90 days. A critical compound signal flags new IP plus any credential extraction. The rule prioritizes alerts where there is a combination of new sources and credential extraction, aligning with the risk of lateral movement via SWA. The detection leverages Okta SystemLog data (and related events such as application.user_membership.change_username) to establish context and relationships between admin actions and target users. Immediate significance arises because credential extraction by an admin can reveal plaintext credentials for numerous SWA-protected apps without MFA triggers, making rapid, anomalous activity hard to distinguish from legitimate admin behavior without baselined context. Complementary detection is available through related rules like Okta.SWA.OffHoursAccess.Behavioral to catch same vectors outside normal business hours. The Runbook guidance in the rule supports investigating recent extractions, new IPs, app diversity, and cross-alert correlations to determine if the admin account was compromised and to identify affected apps and users.