This detection rule identifies suspicious activity by monitoring multiple failed login attempts to Okta user accounts originating from a single IP address within a short timeframe. The rule works by analyzing Okta logs, specifically searching for events classified as user session failures, where the outcome indicates a failure result. The analytics filter out the event data to determine distinct user accounts that have failed to log in from the same IP address, utilizing a threshold of five distinct users to flag potential attacks. Although targeted at detecting brute force attacks or credential stuffing attempts, care must be taken as legitimate users sharing a public IP may generate false positives. Adjustments to the thresholds can be made via the provided filter macro to improve precision of detection without compromising security.