This detection rule identifies potential brute-force attacks on Okta accounts by monitoring the sequence of multi-factor authentication (MFA) events. It specifically looks for occurrences where an account experiences multiple failed MFA push authentication attempts followed by at least one successful login. The presence of many failed attempts (over 4) and several rejections (over 3), paired with a successful authentication, suggests that an attacker may be trying to gain unauthorized access through repeated login attempts. Notably, this rule is associated with threat actors known as LUCR-3 and Scattered Spider, indicating its relevance in combating targeted cyber threats.