This detection rule focuses on monitoring updates to Auth0 Guardian's multi-factor authentication (MFA) settings. Such updates, indicated by events tagged as "gd_tenant_update", can represent potential unauthorized changes that seek to weaken or bypass MFA protections. Attackers may exploit these alterations to disable MFA enforcement, opening paths for unauthorized access. The rule captures relevant events by querying `get_authentication_data_auth0` for these specific updates, capturing required fields including session ID, user information, source IP, and HTTP user agent. It utilizes the Splunk logic format for continuous monitoring, ensuring that any suspicious changes in the Guardian settings are promptly detected. By acting on this detection, security teams can respond to potential manipulations of authentication processes in real-time, maintaining the integrity of user accounts protected by MFA.