This detection rule is designed to identify potential brute force attack attempts targeting Snowflake services by monitoring failed login attempts originating from the same IP address. The rule enables detection of abnormal behavior, specifically when there are multiple unsuccessful login attempts from a single IP within a defined timeframe. By defining a threshold of 5 failed attempts within a 60-minute deduplication period, the rule can effectively mitigate the risk of credential stuffing or brute force exploitation, as specified in the MITRE ATT&CK framework under the techniques related to Credential Access (TA0006:T1110). Alerts will be generated whenever the conditions are met, allowing security teams to take proactive measures against potential breaches.