This detection rule identifies unauthorized login attempts on Auth0 systems made using passwords that have been identified as compromised or leaked. Specifically, it triggers when there is an attempt to authenticate with a 'pwd_leak' event type, indicating that the username/password combination has been exposed in a data breach. The rule is set to operate by monitoring Auth0 Events and is scheduled to suppress additional notifications for 60 minutes after the first observed incident to limit alert fatigue. The severity of this rule is categorized as 'Medium', making it a significant concern that might indicate ongoing malicious behavior attempting to hijack user accounts. The rule employs a threshold configuration ensuring that if at least one leaked password login attempt is detected from a specific IP, the rule will activate, alerting cybersecurity personnel to take necessary actions to bolster defenses against potential account compromises.