This detection rule is designed to identify potential Password Spraying attacks by monitoring failed authentication attempts from a single source against multiple unique users. The logic works by analyzing authentication logs for patterns that indicate the same source IP or account is attempting to authenticate with a significant number of distinct user accounts. Specifically, the rule flags instances where a particular source fails to authenticate with 10 or more unique users while also allowing a limited ratio of successful to failed attempts. It emphasizes the need for real-time monitoring and can be customized based on specific thresholds suited to the organization's characteristics. Testing and tuning are essential to reduce false positives, especially in environments with common domain controllers or services that might exhibit similar behavior. The data source required includes various authentication event logs, making it versatile across different platforms and infrastructures. The detection can also be beneficial for threat hunting exercises, providing a proactive approach to uncovering potential credential stuffing or enumeration attacks.