This detection rule identifies failed OAuth 2.0 token grant attempts for public client applications utilizing client credentials. Specifically, it captures attempts where the request is denied because the necessary scopes are not present. This situation may suggest that client credentials have been compromised, leading an attacker to attempt to acquire an access token for restricted scopes. The detection leverages the `okta.actor.display_name` field to flag instances where recent activities (in the past 14 days) have not been recorded for the actor involved. Additionally, the rule examines various parameters, including whether the request was generated by a public client app and if it resulted in failure due to insufficient scope. The detection aims to mitigate risks associated with unauthorized access and is especially relevant in environments using Okta for identity management. Recommended investigation steps include reviewing the specific public client app, assessing the requested scopes, and cross-referencing with security logs to identify potential anomalies or patterns.