This detection rule is designed to identify potential brute force attacks targeting a single Okta user account by monitoring failed authentication attempts originating from multiple unique source IP addresses. The underlying assumption is that attackers are using proxy servers to obscure their identities and evade IP-based detection mechanisms. The rule captures events related to failed logins and checks specific conditions, such as the number of unique source IPs, diverse geographic origins, and varied user agents. Users traveling or accessing their accounts from multiple locations may trigger false positives, hence careful triage is required. If flagged, the investigation will lead to steps such as resetting passwords, reviewing user access, and potentially blocking the attacking IP addresses to prevent further attempts.