This detection rule utilizes machine learning to identify an anomaly characterized by a significant spike in successful authentication events from a specific source IP address. The rule expects to catch potential instances of password spraying, user enumeration, or brute-force attacks based on the defined threshold. Configured to run within a 30-minute window, this rule operates every 15 minutes to analyze incoming data from integrated systems such as Elastic Defend, Auditd Manager, and System integrations. Users should ensure that the required machine learning jobs are set up and functioning properly. The context of the spike, along with involved assets and user access, is critical for accurate investigation, and potential false positives from legitimate build systems should be considered. If suspicious activity is confirmed, further remediation steps involve resetting compromised accounts and auditing credential exposure.