The Okta ThreatInsight Threat Suspected Promotion rule is designed to detect potential credential access threats within the Okta authentication and authorization workflows. Leveraging the `threat_suspected` attribute from Okta's system logs, the rule triggers alerts when this field is set to True, indicating the possibility of attacks such as password spraying, brute forcing, and replay attacks. This rule uses a KQL (Kibana Query Language) query targeting the system event dataset from Okta, specifically filtering records where the action indicates a detected security threat or where the threat_suspected flag is true. Additionally, it implements a risk scoring system that categorizes alerts based on the risk level reported by Okta, allowing for differentiated severity handling: low, medium, or high based on the risk level identified in the logs.