This detection rule identifies the initiation of Multi-Factor Authentication (MFA) enrollment for accounts managed by Auth0. Threat actors might seek to register their own MFA devices on compromised accounts to maintain access and circumvent authentication measures. The rule monitors authentication logs for specific event types indicating MFA enrollment has started, allowing for differentiation between legitimate user actions and potential malicious attempts to gain unauthorized access. It leverages Splunk for event querying, filtering for events relating to MFA enrollment and aggregating relevant data such as time, user, and geographic location information, providing comprehensive visibility into events surrounding potential account compromise.