This detection rule monitors unauthorized access attempts to Okta applications, specifically looking for instances where a user is denied access. The rule is triggered when a user’s attempt to connect to an application results in a failure, labeled as a 403 Forbidden error. The rule uses log data from Okta's system logs that contain relevant details about the access attempt, including the user's identity, authentication context, client device information, security context, and the specific application involved in the denied access. It has a low severity level, suggesting it is part of broader monitoring rather than a direct immediate threat. Unique notifications are generated for each attempt, and a deduplication period of 60 minutes is set to reduce noise in alerts. The rule can be particularly useful in identifying patterns of abuse or repeated access attempts by unauthorized users. Additionally, it helps in compliance and auditing efforts regarding application security protocols.