The 'Detect Password Spray Attempts' analytic identifies and mitigates potential password spraying attacks by analyzing Windows Event Log Security 4625 for unsuccessful authentication attempts. Utilizing a 3-sigma approach to outlier detection, the rule examines a source's unique accounts that show a significantly elevated number of failed login attempts (more than 30) compared to a calculated average. This rule leverages the Authentication Data Model to ensure comprehensive monitoring across all CIM-mapped authentication events, thus providing enhanced security against users' accounts being exposed to brute-force exploitation where common passwords are tried across multiple accounts to avoid triggering lockout mechanisms. Appropriate scheduling, data mapping, and filtering are necessary for optimal performance, ensuring that legitimate attempts are not falsely flagged while maintaining vigilance against potential threats. The rule also assists in situational awareness with drill-down searches and integration with broader risk assessment frameworks.