This detection rule identifies instances where an Okta user (actor) establishes multiple sessions from different geographical locations within a short timeframe, indicating a potential unauthorized access attempt. Threat actors often exploit lists of valid usernames and passwords to infiltrate accounts, particularly by leveraging known credentials across various geographic locations. The rule employs ESQL to analyze Okta logs, specifically targeting authentication events, while filtering for successful logins that are not conducted through a recognized proxy. The analysis involves metrics such as the count of distinct countries (geo_auth_counts) associated with user sessions to highlight potential compromise. A high occurrence of sessions initiated from varying geographical locations can signal a higher risk of credential theft or account takeover. Investigation steps include tracking user activities, scrutinizing event types, and validating user legitimacy, with responses tailored based on findings including password resets or account deactivation if malicious behavior is confirmed.