With all the MFA bombing/lazy swiping going on, maybe you need to find such abuses in your environment.
Twilio, Cloudflare, and Cisco were all hit recently with 2FA/MFA attacks and valid stolen credentials.
index=okta sourcetype=OktaIM2:log eventType=system.push.send_factor_verify_push OR ((legacyEventType=core.user.factor.attempt_success) AND (debugContext.debugData.factor=OKTA_VERIFY_PUSH)) OR ((legacyEventType=core.user.factor.attempt_fail) AND (debugContext.debugData.factor=OKTA_VERIFY_PUSH))
| stats count(eval(legacyEventType="core.user.factor.attempt_success")) as successes count(eval(legacyEventType="core.user.factor.attempt_fail")) as failures count(eval(eventType="system.push.send_factor_verify_push")) as pushes by authenticationContext.externalSessionId, user, _time
| stats latest(_time) as lasttime earliest(_time) as firsttime sum(successes) as successes sum(failures) as failures sum(pushes) as pushes by authenticationContext.externalSessionId, user
| eval seconds=lasttime-firsttime
| eval lasttime=strftime(lasttime, "%c")
| search (pushes > 3)
| eval totalattempts=successes+failures
| eval finding="Normal authentication pattern"
| eval finding=if(failures==pushes AND pushes>1, "Authentication attempts not successful because multiple pushes denied", finding)
| eval finding=if(totalattempts==0, "Multiple pushes sent and ignored", finding)
| eval finding=if(successes > 0 AND pushes > 3, "Multiple pushes sent, potential abuse detected", finding)
| where seconds < 300