This detection rule focuses on identifying attempts to log in with invalid email addresses or usernames in an Auth0 authentication context. Threat actors often try to probe for valid accounts by executing multiple failed login attempts using incorrect credentials. The logic implemented uses Splunk to pull authentication data specifically from Auth0 logs, filtering for logs that indicate failed username or email authentications (event_type "fu"). The output records will provide a timestamped view of these failed attempts, categorized by user and location data, allowing for the identification of potential account enumeration efforts. It's crucial to note that failure to log in using incorrect usernames or emails is not inherently malicious without additional context, but it serves as a preliminary signal that can be investigated further. The correlation of specific security techniques such as credential brute-forcing and account discovery suggests a need for vigilance against credential stuffing and password guessing attacks.