This detection rule identifies occurrences of user password resets within Okta logs. It specifically targets events logged by the Okta API where the event type matches 'user.account.reset_password', indicating that a user's password has been successfully reset. The rule operates by querying Okta logs for any password reset events that occurred within the last two hours. The threat actor associated with this activity is Scattered Spider, also known as 0ktapus or UNC3944, which has been linked to various cyber attacks involving account takeovers and credential harvesting across various organizations. By monitoring these password reset events, organizations can potentially detect unauthorized access attempts or malicious actions aimed at compromising user accounts.