This detection rule is designed to identify suspicious authentication attempts to an Okta system, particularly when these attempts originate from countries that are not typically associated with legitimate user access. The rule utilizes authentication logs, specifically focusing on the event type 'user.session.start'. It gathers data regarding the time of request, host, user, action taken, source IP, and geographic location of the attempt. The rule necessitates a predefined allow list of countries to function effectively and filter out benign authentications from expected regions. The association with the threat actor 'Scatter Swine' points to a known group that exploits unauthorized access via stolen credentials, emphasizing the importance of monitoring user sessions for any anomalies especially from unusual geographic regions. Implementation of this detection will bolster security measures against credential stuffing and unauthorized access, providing organizations with crucial insights into potential identity theft and account compromise.