It’s hard to question the correctness of such claims if the only thing they provided is a screenshot; From the screenshot alone the actual correct attempt (status 200) was request 180, however, previous requests show attempts for the same value (duplicates) which is weird.
Also, from the screenshot alone it’s impossible to know if the previous attempts were to the same user.
If you have enabled brute-force protection (both triggers) then by default 10 failed attempts for the same user and IP address will block that user+IP combination. In addition, an IP address may be significantly throttled if there are more than 100 attempts originating from that IP address and targeting multiple users (https://auth0.com/docs/anomaly-detection#brute-force-protection).
In conclusion, the information provided here and likely the information provided to you is insufficient for a more detailed analysis. There’s always the risk that someone is omitting details to make the situation look worse than it is, but a more definitive conclusion would require a more detailed report.