This detection rule aims to identify potential MFA fatigue attacks by monitoring rejected Multi-Factor Authentication (MFA) requests in an Auth0 environment. Attackers may bombard users with multiple authentication prompts in an effort to trick them into inadvertently approving access, compromising user accounts. The rule extracts data from authentication logs, specifically tracking events where users have rejected MFA requests. By analyzing these rejections, organizations can identify unusual patterns that may suggest an ongoing attack. The logic leverages a Splunk query to filter for rejected MFA events, grouping and summarizing data by relevant attributes such as time, user, and source IP. This enables security teams to proactively respond to potential credential theft attempts by recognizing abnormal frequencies of rejected authentication prompts.