The rule 'Brute Force By IP' is designed to detect excessive failed login attempts originating from the same IP address. It classifies an event as suspicious if a particular IP address experiences more than 20 failed login attempts within a configured time window of 60 minutes. When the threshold is breached, the system flags the event under the severity level 'Info'. This rule aggregates logs from multiple applications including AWS CloudTrail, Atlassian, Okta, and more, enabling broad monitoring of authentication attempts. The rule incorporates tests that specify expected results for various log types, distinguishing between successful and failed login attempts. If the number of failed attempts surpasses the threshold, it indicates potential brute-force attacks, prompting investigation of the originating IP for subsequent successful authentications or other anomalous behavior. The supporting runbook provides actionable steps to analyze the source IP, including checking prior actions related to the user account associated with the attempted logins, which can help uncover credential compromise attempts or other security incidents.