This detection rule aims to identify potential MFA fatigue attacks, where threat actors overwhelm a user with multiple MFA push notifications to manipulate them into granting unauthorized access. The rule monitors the logs for Authentication events specific to Auth0, tracking the number of push notifications sent, successful authentications, and the count of rejected attempts by each user. If a user experiences more than four push notifications in a session, with more than three rejections and at least one successful authentication, this behavior is flagged as suspicious. The analytics are performed over a time interval of 900 seconds (15 minutes) to ensure that rapid attempts are effectively correlated, leveraging event statistics to summarize data cleanly per user. By analyzing these patterns, security teams can detect and mitigate MFA fatigue attacks more proactively, enforcing security measures against potential unauthorized access attempts through multi-factor authentication.