This detection rule addresses the potential abuse of increased authentication API rate limits in platforms using Auth0. As attackers may exploit these elevated limits to carry out credential stuffing or brute-force attacks, this rule helps identify anomalous events where such limits are set. The rule uses a Splunk search query to gather relevant authentication data from Auth0, filtering for events that signify an increase in API limits. By tracking occurrences of this event alongside the associated user details and location data, the detection system can highlight unusual patterns that could indicate either legitimate scaling needs or potentially malicious activity aimed at bypassing rate limit checks. The effectiveness of this rule lies in its ability to correlate events over time to discern legitimate usage versus attempted exploit attempts, thereby enhancing the overall security posture of applications relying on Auth0 for user authentication.