This analytic rule detects potential Password Spray attack behavior characterized by multiple authentication failures from various unique sources. Specifically, it identifies if a user experiences login failures from 10 or more distinct sources, indicating that an adversary may be testing various passwords against a user account to gain unauthorized access. This detection employs statistical analysis of authentication events within a specified timeframe, and incorporates thresholds tailored to the organization's unique environment and user behavior. The detection is designed for real-time monitoring as well as strategic threat hunting, empowering organizations to respond swiftly to suspicious login activities. The rule emphasizes the importance of calibrating thresholds based on organizational context and is suitable for environments utilizing Splunk for security analytics.