This rule identifies potential password spraying attacks on SSH by monitoring multiple failed login attempts from a single IP address across various user accounts within a brief time window. It utilizes ESQL to create time buckets of five minutes to aggregate failed authentication events, specifically targeting the "ssh_login" and "user_login" actions that resulted in failure. The rule filters for events where the source IP is known and counts unique user names and total failed attempts to detect unusual patterns indicative of password spraying tactics. If a single source IP is found to be responsible for over 10 distinct user names and 30 failed login attempts in a five-minute interval, the rule triggers an alert. This technique minimizes the chance of detection by spreading password attempts across many accounts rather than focusing on a single account, thus making it a prevalent method for unauthorized access attempts.