from logs-okta*
| where
event.dataset == "okta.system" and
(event.action == "user.session.start" or event.action rlike "user\.authentication(.*)") and
okta.outcome.reason == "INVALID_CREDENTIALS"
| keep
okta.client.ip,
okta.actor.alternate_id,
okta.actor.id,
event.action,
okta.outcome.reason
| stats
Esql.okta_actor_id_count_distinct = count_distinct(okta.actor.id)
by
okta.client.ip,
okta.actor.alternate_id
| where
Esql.okta_actor_id_count_distinct > 5
| sort
Esql.okta_actor_id_count_distinct desc
Install detection rules in Elastic Security
Detect Multiple Okta User Authentication Events with Client Address in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).