This detection rule focuses on identifying multiple instances of failed username change requests tied to multi-factor authentication (MFA) within Auth0 environments. In this context, threat actors may employ MFA fatigue tactics, where they inundate a user with numerous MFA approval requests, leveraging repetitive prompts to trick the user into inadvertently granting access. The rule tracks the volume of these MFA push notifications alongside successful authentications and rejected attempts, which can serve as indicators of a potential attack. By filtering through authentication logs, specifically for entries marked with 'Failed to change username', the logic accounts for these requests, analyzing the actions, users involved, and originating IP addresses. Analyzing how many times a user requests MFA approval within a set timeframe could highlight unusual requests that deviate from normal user behavior, signaling potential account compromise attempts or unauthorized access events.