This rule is designed to detect multiple Okta user authentication events reported using the same device token hash behind a proxy, which can indicate a shared device scenario or potential credential abuse via password spraying tactics. The rule utilizes a threshold strategy to trigger alerts when the same device token hash is associated with multiple Okta user IDs, with a focus on user authentication events that originate via a proxy. The rule details investigation protocols pinpointing relevant fields such as `okta.actor`, `okta.client`, and `okta.event_type` to discern if the authentication behavior is legitimate or suspicious. False positives must be considered, such as legitimate scenarios where an administrator manages multiple accounts or shared computers in an organizational context. Recommendations for response actions include conducting user profiling, reviewing historical behaviors, and implementing security measures such as resetting passwords or deactivating accounts when illegitimacy is detected. Reference links provide additional context and supporting documentation for further analysis.