This detection rule is designed to identify a high frequency of password reset or account unlock attempts for Okta user accounts, which may indicate unauthorized access attempts. Such activities can frequently blend in with legitimate behavior in an organization's environment, thus evading detection. The threshold for triggering this alert is set to five attempts associated with a unique actor within a 60-minute window. The rule analyzes specific action events from the Okta platform related to account unlocks or password resets, categorizing excessive activity as suspicious. Security analysts are provided with specific actions to investigate, including examining the actor's identity, client attributes, and historical login attempts leading up to the resets/unlocks. The rule offers guidance on potential false positives, noting that variations among organizations may require rule customization based on their operational context. The detection is classified under the MITRE ATT&CK framework, highlighting common tactics such as Defense Evasion, Initial Access, and Persistence that adversaries might use when attempting to exploit valid accounts.