This detection rule targets scenarios where multiple successful sign-ins occur from the same IP address on the Auth0 platform. It is particularly focused on identifying potential brute-force attacks on user credentials by monitoring for rapid, repeated login attempts originating from a single IP. The rule evaluates authentication data looking for 'succeed' or indications of a successful login, then filters events based on the event type to find only successful authentications. After binning the data into 10-minute intervals, it aggregates login attempts by source IP and counts distinct users per interval. If the count of distinct users from the same IP exceeds one, this is flagged, indicating potential malicious activity such as a brute-force attack or password spraying. This rule primarily assists in preventing unauthorized access and maintaining account safety within the Auth0 ecosystem.