This detection rule identifies suspicious authentication patterns in Okta, specifically by monitoring for a significant number of authentication events originating from a single client address. The rule is relevant in the context of credential access threats, such as credential stuffing or password spraying attacks, where adversaries attempt to gain unauthorized access to multiple user accounts using known credentials. A threshold of 30 unique device token hashes for authentication events is set to trigger the alert. The rule is implemented using ESQL and relies on specific fields within Okta logs, including information about the client IP, user identifier, and event outcomes. It takes into consideration the possibility of false positives, especially in scenarios where users might share devices or where legitimate authentication attempts are made from shared environments. Recommendations for investigation and response are also included to guide analysts in validating the alerts and taking appropriate action against potential threats.