The rule targets password spraying against AWS ConsoleLogin events logged in CloudTrail. It triggers when 10 or more distinct usernames fail to authenticate to the AWS Management Console from the same recipient account and region within a 60-minute window. The intent is to detect a credential stuffing pattern aimed at valid accounts (MITRE T1078). It is labeled Experimental and Disabled by default. The Runbook describes triage steps to identify the spray origin (group by source IP, examine subsequent successful logins by targeted usernames, and check for related alerts in the past week). The rule includes test cases showing a failed ConsoleLogin scenario, a non-Console event, and a root user failure, illustrating different signal paths. Overall, the rule emphasizes early discovery of credential-based access attempts, with correlation across accounts, regions, and timeframes to differentiate noisy activity from targeted campaigns.