This analytic detection rule identifies unusual patterns of NTLM authentications originating from a specific source on Windows devices. The detection focuses on scenarios where an anomalously high number of NTLM authentications are attempted by a single source, which may indicate malicious activities such as brute force attacks or password spraying. The rule relies on NTLM Operational logs, particularly EventID 8004, to track authentication events. Through statistical analysis, it calculates the average and standard deviation of unique user accounts attempting authentication from the same source and flags instances where the count of unique users exceeds a defined threshold. This makes it a valuable tool for identifying potential security incidents related to unauthorized access attempts in a Windows environment, particularly in enterprise networks.