Detects when a single actor generates more than 50 claude_chat_access_failed events within a 10-minute window for Anthropic Claude chats. This pattern signals automated enumeration or bulk access attempts rather than normal user browsing. The rule references the claude_chat_id to identify targeted chats—sequential or patterned IDs suggest scripted activity, whereas scattered IDs may indicate shared-link browsing. A dedup window of 10 minutes prevents duplicate alerts for the same burst. The rule encourages correlation with claude_chat_viewed counts in the same window to compute a failure-to-success ratio and to assess whether the activity is enumerative or legitimate favorite-link usage. It also recommends IP address enrichment (threat intel or VPN/proxy associations) to assess risk posture. The associated MITRE ATT&CK mapping is TA0007:T1087 (Account Discovery), aligning with discovery/credential enumeration behavior. The rule applies to both user and API actors, and inspects fields such as actor.type, claude_chat_id, actor.ip_address, and event.type (claude_chat_access_failed). When triggered, it indicates a potential automated attack surface exposure and warrants follow-up investigation via the provided runbook steps (timeline analysis, cross-event correlation, and network reputation checks).