This rule detects when a new user account is created in the Okta environment. It focuses on the event type 'user.lifecycle.create', which is a specific event tracked by Okta's API. The creation of new user accounts can be legitimate or a part of an unauthorized access attempt; therefore, monitoring these events plays a crucial role in securing corporate identity attributes and access management systems. As Okta is used as an identity provider (IdP) for various organizations, it is important to ensure that any new user created is done in compliance with the organization's policies. The detection mechanism uses simple selection criteria to identify user lifecycle events specifically associated with new account creations. The rule has a low level of alerting (informational) and recognizes false positives that might occur due to authorized user onboarding processes.