This detection rule targets scenarios in a PingID environment where multiple failed multi-factor authentication (MFA) requests originate from a single user. Specifically, it triggers when 10 or more failed MFA attempts occur within a 10-minute window, based on JSON logs from PingID. The rule is aimed at identifying potential malicious activities, such as an adversary attempting to bypass MFA protections by bombarding the user with repeated requests in hopes that the user might inadvertently approve one. This behavior can signify a compromised user account, leading to unauthorized access and potential risks to the entire network. False positives may arise from legitimate provisioning processes for user device registrations. The implementation requires that JSON logging from the PingID system is set up correctly, either through a Webhook or Push Subscription method.