The 'O365 Brute Force Signin' rule monitors Office 365 authentication attempts to identify potential brute force attacks on user accounts. It leverages a combination of login event data, including successful logins, failed login attempts, and initial authentication attempts using passwords. The detection logic first retrieves relevant cloud data from Office 365 and evaluates the logged events to categorize them as either 'success' or 'failure'. It specifies filters to determine if a user has had multiple login attempts and if both 'success' and 'failure' events have occurred within a specified timeframe. The logic uses counting functions to ensure there are significant login attempts (both successes and failures) and validates the overall event count to establish suspicious behavior. Alerts are triggered if the conditions indicating a potential brute force attack are met, such as a notable interaction of two login IDs with more than ten events in total, indicating intense login activity from one or multiple sources. The detection focuses on credential access techniques commonly exploited in brute force attacks (MITRE ATT&CK T1110).