This detection rule is designed to identify a security threat represented by multiple failed login attempts using invalid credentials from the same IP address within a two-hour timeframe. This pattern suggests potential credential stuffing attacks or brute-force attempts targeting user accounts within the Okta identity management system. The rule works by querying Okta's authentication logs for events logged as 'INVALID_CREDENTIALS', excluding any events of password resets. It filters on the timestamp to ensure relevancy, checking against a window where numerous attempts may indicate malicious intent. Given the association with known threat actors LUCR-3 and Scattered Spider (also known as 0ktapus and UNC3944), detecting this pattern is critical for preventing unauthorized access and safeguarding user accounts from credential-based attacks.