This rule is designed to detect potential credential stuffing or password spraying attacks against Okta user accounts by monitoring for a surge of authentication events from multiple users originating from the same client IP address. It executes a query on logs generated by Okta, filtering for invalid credential attempts that happen excessively from a single source. The rule counts distinct user IDs attempting to authenticate from the same IP over a defined period, flagging instances where more than five distinct users authenticate unsuccessfully from the same client. This scenario may indicate malicious activity, where an adversary uses a list of stolen usernames or common passwords against multiple accounts. The rule includes detailed triage and investigation guidance, listing steps to identify the legitimacy of user actions, the technology used (including devices and proxies), and the outcomes of these authentication attempts. False positives can arise from shared or public access points such as conference computers or kiosks. Therefore, it provides remediation guidance, emphasizing the verification of user activity and consideration of additional security measures, such as password resets and multi-factor authentication (MFA) adjustments, depending on the legitimacy of the activities. The rule requires integration with the Okta Fleet and specific structured data to operate effectively, notably requiring an environment using the Elastic stack v8.15.0 or later.