This detection rule identifies potential brute-force attacks on user accounts by monitoring for excessive login failures reported from a single IP address. Threat actors may utilize automated scripts to attempt rapid credential guessing, leading to a saturation of login attempts that trigger account lockout mechanisms. The rule captures events where users are temporarily blocked from logging in due to hitting the maximum allowable login attempts from the same IP address. It specifically looks for events matching the 'limit_sul' event type in the Auth0 authentication logs. When such events are logged, the rule aggregates the data by timestamp and source IP, providing insights into the frequency of attacks and identifying patterns that suggest automated attack strategies. This detection is critical in identifying compromised accounts under testing and enabling appropriate defensive measures to safeguard user access.