This detection rule identifies potential brute-force login attempts targeting Microsoft 365 user accounts by monitoring for high volumes of failed login attempts or varied login sources occurring within a 30-minute timeframe. Attackers may exploit weak passwords or compromised accounts to gain unauthorized access to Microsoft 365 services. The logic of this detection is built using ESQL, which focuses on specific authentication-related events extracted from Microsoft 365 audit logs. The rule looks for relevant errors, identifies anomalies in login patterns, and counts unique login sources to flag suspicious activity. Contextual investigation steps are outlined to assist in threat analysis, focusing on verifying the nature of the failed attempts, assessing IPs involved, and identifying any potential false positives from legitimate use cases or geographical discrepancies.