This detection rule targets attempts to bypass Multi-Factor Authentication (MFA) within Okta, a widely-used identity management service. Specifically, it monitors for events classified as 'user.mfa.attempt_bypass' within the last two hours, helping organizations identify potentially malicious actors trying to disable or bypass the added layer of security that MFA provides. The rule plays a crucial role in defending against credential compromise, particularly from threat actor groups like LUCR-3 and Scattered Spider, who have been linked to various authentication-related attacks. By aggregating relevant authentication and application log data, the rule facilitates real-time detection of suspicious activities associated with MFA bypass attempts.