This detection rule aims to identify brute force login attempts targeting the AWS root user, who has complete access to all AWS resources. The rule monitors failed login attempts specifically recorded in AWS CloudTrail logs. A high number of failures in a short time frame suggests an adversary is attempting to gain unauthorized access through brute force means. The rule alerts if there are 10 or more failed login attempts from the same AWS account within a 20-minute window. False positives may occur through legitimate user errors or automated processes with outdated credentials. Thus, investigation steps include reviewing logs for unusual IP addresses and successful logins, checking for geographical anomalies, and implementing response strategies such as disabling the root user account, resetting passwords, and enabling multi-factor authentication (MFA). The integration requires AWS Fleet or similar compatibility for functionality.