This detection rule identifies multiple consecutive logon failures originating from the same source IP address within a short time frame, which may suggest brute force attempts to gain unauthorized access to accounts. Adversaries often utilize this technique to exploit common or weak passwords. The rule leverages Elastic's security event logging for Windows systems, particularly focusing on Network type logins (Winlog events 4625 and 4624). By employing a sequence query, the rule tracks failed logon attempts related to specific users and evaluates the status for richness in context. An emphasis is placed on assessing potentially compromised accounts and their associated logs, aimed at understanding whether authentications are legitimate or indicative of malicious intent. A detailed investigation guide is provided, alongside response recommendations to mitigate further threats.