The detection rule identifies anomalous authentication attempts on Windows endpoints, specifically targeting domain controllers. It monitors for cases where a source endpoint fails to authenticate using the NTLM protocol with multiple invalid usernames. By leveraging Windows Event Log Security EventCode 4776, the rule calculates the standard deviation of invalid authentication attempts over time and employs a 3-sigma approach to flag deviations from normal behavior. This detection can indicate potential Password Spraying attacks—where attackers attempt to gain access by trying a small number of common passwords across many accounts— which could result in unauthorized access or privilege escalation if successful. The implementation of this detection requires the ingestion of Domain Controller events, ensuring that the relevant security audit policies are enabled for effective monitoring. The rule also includes considerations for known false positives, ensuring that alerts are maintained for genuine threats while minimizing noise from legitimate activities. Overall, this rule serves an essential role in the Active Directory security posture by alerting on suspicious authentication activities that could signify a larger compromise.