This rule monitors changes to the Multi-factor Authentication (MFA) risk assessment settings within an Auth0 tenant. Specifically, it triggers an alert whenever any user disables the MFA risk assessment policy, potentially indicating a security oversight that could expose the organization to unauthorized access vulnerabilities. It encompasses multiple tests, each focused on examining logs of events associated with the updating or disabling of these settings, analyzing user's actions taken via the Auth0 API, including IP addresses, user identifiers, and event timestamps. The rule carries high severity, reflecting the critical nature of protecting MFA settings, and emphasizes that it should be re-enabled immediately to maintain the organization's security posture. When an event meets the defined conditions, it logs the event and associates it with the user actions, providing an audit trail for security assessments and compliance purposes.