This detection rule identifies potential malicious activity by monitoring for multiple user sign-in attempts to an Okta environment originating from the same source IP address within a 10-minute window. This kind of activity can indicate enumeration attempts or credential stuffing attacks orchestrated by threat actors. specifically linked to groups like LUCR-3 and Scattered Spider (also known as 0ktapus or UNC3944). By leveraging logging data from Okta authentication events, this rule assists security analysts in detecting anomalous behavior that could signify an attempt to compromise user accounts. To deploy this detection, logs are queried within a two-hour timeframe, focusing on events where the signature indicates a user login. Analyzing such sign-in behavior helps uncover incidents of account misuse and defend against unauthorized access, leveraging the Okta platform's capabilities.