The 'Okta MFA Exhaustion Hunt' analytic is designed to detect patterns indicative of potential MFA exhaustion attacks against Okta accounts. By analyzing event logs from Okta, particularly focusing on both successful and failed Multi-Factor Authentication (MFA) push notifications, this rule employs statistical analysis to identify unusual activity. The core of the detection logic revolves around capturing events where users receive numerous push notifications, either succeeding or failing in their authentication attempts. Such patterns may signal an attacker attempting to overwhelm the authentication mechanism, aiming to bypass MFA protections through a deluge of notifications. If successful, this could lead to unauthorized access and compromise the security of user accounts. The analytic utilizes a straightforward search mechanism to aggregate event counts by user and time, ultimately assessing the success or failure rates of authentication attempts relative to the number of pushes sent, thereby flagging suspicious behavior for further investigation.