This detection rule identifies a scenario in which more than ten unique user accounts have failed to authenticate from a single IP address within a five-minute timeframe in an Okta tenant. Utilizing OktaIm2 logs ingested via the Splunk Add-on for Okta Identity Cloud, the rule aims to flag potentially malicious activities such as brute-force or password spraying attacks. Such occurrences are significant as they hint at unauthorized efforts to access multiple accounts, which could subsequently lead to data breaches or unauthorized access to critical resources. The detection utilizes a Splunk search query that aggregates authentication failure events from the specified logs and filters for instances exceeding the defined threshold for unique user accounts.