The OneLogin Multiple Accounts Modified detection rule is designed to identify potentially malicious activity related to user account management within the OneLogin system. Specifically, this rule triggers when the number of user account password changes exceeds a defined threshold. In this case, the threshold is set to 10 password changes within a 10-minute deduplication period. This behavior could indicate a denial-of-service (DoS) attack or user cleaning activity, leading to an unauthorized attempt to disrupt account accessibility. The rule references MITRE ATT&CK tactic TA0040 (Impact) with sub-technique T1531, which highlights the importance of detecting threats that may compromise user account access. Upon activation, the rule generates alerts that incorporate essential user attributes, such as account ID, user name, and user ID, to facilitate further investigation into potential anomalies.