The 'Spike in Logon Events' machine learning detection rule identifies significant increases in successful authentication attempts, which may signal password spraying, user enumeration, or brute force attacks. The rule employs an anomaly detection algorithm, configured to alert when the threshold of anomalous events exceeds 75%. This rule is predicated on data obtained from integrations such as Elastic Defend, Auditd Manager, and the System integration. Upon activation, it triggers a machine learning job that continuously analyzes the logon events over a specified interval, detecting patterns deviating from the norm. The rule aims to mitigate potential threats by alerting security personnel to investigate and respond to unusual authentication activities, involving careful scrutiny of the affected accounts, IP addresses, and any related alerts. It also acknowledges the potential for false positives arising from legitimate system activities like CI build processes or routine logins by support teams. To manage these false alerts effectively, organizations may exclude known systems or adjust the sensitivity of the detection model.