This detection rule focuses on monitoring failed attempts to enroll a Multi-Factor Authentication (MFA) device in Auth0, targeting scenarios where attackers might be trying to gain unauthorized access to accounts. In cases where an attacker attempts to enroll a new MFA device on a compromised account, the enrollment could fail due to various reasons such as other security controls, user intervention, or misconfigurations. This rule captures the relevant events through Splunk by querying the authentication data with specific strings that indicate a failed enroll attempt. It employs a series of filters to isolate incidents that match the failure event type, thus allowing detection of potential unauthorized MFA attempts alongside legitimate user actions.