This rule detects potential password spraying attempts targeting a Windows Active Directory environment by monitoring failed authentication attempts over the NTLM protocol. Specifically, it identifies instances where a single endpoint has attempted to authenticate using 30 unique invalid usernames, as indicated in Windows Event Log Security Event 4776. The focus on error code 0xC0000064 points to attempts to access non-existent accounts, which raises alarms for possible malicious activities, such as unauthorized access or privilege escalation. It is crucial to monitor and analyze such activities to protect sensitive information and maintain the integrity of the Active Directory. The provided search query leverages bucketed statistics from the logs, and useful drilldown searches help focus on detailed risk events and outcomes associated with the detected behavior. Implementing this detection requires configuring the appropriate auditing policies and data ingestion from Domain Controllers.