diff --git a/rules/integrations/okta/okta_threat_detected_by_okta_threatinsight.toml b/rules/integrations/okta/okta_threat_detected_by_okta_threatinsight.toml
deleted file mode 100644
index e8cdca0f9..000000000
--- a/rules/integrations/okta/okta_threat_detected_by_okta_threatinsight.toml
+++ /dev/null
@@ -1,38 +0,0 @@
-[metadata]
-creation_date = "2020/05/21"
-integration = ["okta"]
-maturity = "production"
-min_stack_comments = "New fields added: required_fields, related_integrations, setup"
-min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
-
-[rule]
-author = ["Elastic"]
-description = """
-Detects when Okta ThreatInsight identifies a request from a malicious IP address. Investigating requests from IP
-addresses identified as malicious by Okta ThreatInsight can help security teams monitor for and respond to credential
-based attacks against their organization, such as brute force and password spraying attacks.
-"""
-index = ["filebeat-*", "logs-okta*"]
-language = "kuery"
-license = "Elastic License v2"
-name = "Threat Detected by Okta ThreatInsight"
-note = """## Setup
-
-The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
-references = [
-    "https://developer.okta.com/docs/reference/api/system-log/",
-    "https://developer.okta.com/docs/reference/api/event-types/",
-    "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
-]
-risk_score = 47
-rule_id = "6885d2ae-e008-4762-b98a-e8e1cd3a81e9"
-severity = "medium"
-tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Monitoring"]
-timestamp_override = "event.ingested"
-type = "query"
-
-query = '''
-event.dataset:okta.system and event.action:security.threat.detected
-'''
-
diff --git a/rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml b/rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml
new file mode 100644
index 000000000..36d293bb9
--- /dev/null
+++ b/rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml
@@ -0,0 +1,67 @@
+[metadata]
+creation_date = "2020/05/21"
+integration = ["okta"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/06/13"
+promotion = true
+
+[rule]
+author = ["Elastic"]
+description = """
+Okta ThreatInsight is a feature that provides valuable debug data regarding authentication and authorization processes,
+which is logged in the system. Within this data, there is a specific field called threat_suspected, which represents
+Okta's internal evaluation of the authentication or authorization workflow. When this field is set to True, it suggests
+the presence of potential credential access techniques, such as password-spraying, brute-forcing, replay attacks, and
+other similar threats.
+"""
+index = ["filebeat-*", "logs-okta*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Okta ThreatInsight Threat Suspected Promotion"
+note = """## Setup
+
+## Triage and analysis
+
+This is a promotion rule for Okta ThreatInsight suspected threat events, which are alertable events per the vendor.
+Consult vendor documentation on interpreting specific events.
+"""
+references = [
+    "https://developer.okta.com/docs/reference/api/system-log/",
+    "https://developer.okta.com/docs/reference/api/event-types/",
+    "https://help.okta.com/en-us/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.html",
+    "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
+]
+risk_score = 47
+rule_id = "6885d2ae-e008-4762-b98a-e8e1cd3a81e9"
+rule_name_override = "okta.display_message"
+severity = "medium"
+tags = ["Elastic", "Identity", "Identity and Access", "Okta", "Continuous Monitoring", "SecOps", "Monitoring"]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset:okta.system and (event.action:security.threat.detected or okta.debug_context.debug_data.threat_suspected: true)
+'''
+
+
+[[rule.severity_mapping]]
+field = "okta.debug_context.debug_data.risk_level"
+operator = "equals"
+severity = "low"
+value = "LOW"
+
+[[rule.severity_mapping]]
+field = "okta.debug_context.debug_data.risk_level"
+operator = "equals"
+severity = "medium"
+value = "MEDIUM"
+
+[[rule.severity_mapping]]
+field = "okta.debug_context.debug_data.risk_level"
+operator = "equals"
+severity = "high"
+value = "HIGH"
+
+