This rule is designed to detect the creation of new user accounts within the Okta Identity Management system. The detection logic queries the Okta event logs, focusing on entries that report user lifecycle events specifically for user creation. The rule is configured to analyze events that occurred within the last two hours to ensure timely alerts, enabling quick response to potential unauthorized access attempts. If a new user account is created, this rule flags it for review, as such actions can be associated with malicious activities such as unauthorized user provisioning or account takeovers. The rule utilizes SQL-like syntax inherent to the Snowflake data query framework, targeting events where the 'event_type' field matches 'user.lifecycle.create', indicating a successful user account creation.