This rule focuses on monitoring failed password change attempts within Auth0 systems as a means to detect potential account compromise or brute-force attacks targeting password reset functionalities. The detection mechanism specifically looks for failed events associated with password changes, namely, event types tagged as 'fcp' (Failed Change Password) and 'fcpr' (Failed Change Password Request). By analyzing these events, the rule gathers data that suggests unauthorized access attempts and credential abuse, thereby helping identify possible account takeover scenarios. The logic is implemented in Splunk, using a query that detects relevant events, filters based on specified conditions, and aggregates this information for further analysis. It includes key identifiers like session ID, event type, user account details, source IP, and user-agent strings, facilitating deeper investigation of potentially malicious activities.