This detection rule monitors the enabling of the multi-factor authentication (MFA) risk assessment setting in Auth0 for user accounts. The rule is designed to identify when a user initiates this action, which can indicate a change in security policy that may either bolster or undermine the organization’s security posture. The analysis focuses on the logs generated by user activity that corresponds to the MFA settings being modified, particularly looking for unusual patterns related to the enabling of this feature. Given the sensitive nature of MFA settings, enabling this policy is typically a security enhancement although it can also be misused. Therefore, an assessment is recommended to ensure the change aligns with valid business needs or security requirements. The rule has a low severity classification, indicating the system will log the event without triggering immediate alerts unless the event occurs under suspicious circumstances.