This detection rule identifies potential password spraying attacks against a Windows environment using the NTLM protocol. It does this by monitoring Windows Event Log Security Event 4776, which records failed authentication attempts where multiple valid user accounts on a single source endpoint fail to authenticate. By leveraging statistical analysis, specifically the 3-sigma rule, the rule detects anomalies based on the count of unique user accounts that failed to authenticate. If triggered, such an event could suggest that an attacker is attempting to gain access by systematically trying valid credentials across multiple accounts, which poses a risk of account compromise and unauthorized lateral movement within the network. The implementation requires enabling a specific auditing policy on Domain Controllers to ensure that all relevant events are collected. To mitigate false positives, the rule considers the context of the authentication attempts, differentiating between typical behavior and potential attack actions.