This detection rule focuses on identifying suspicious login activity in AWS environments by monitoring the number of failed authentication attempts from a single IP address. Utilizing AWS CloudTrail logs, it calculates the standard deviation of login failures from the same source within a defined time window, applying the 3-sigma rule to highlight unusually high attempts. Anomalous behaviors, such as a single IP attempting multiple logins with different user accounts, may suggest a password spraying attack wherein an attacker tests a few common passwords against many user accounts. If this pattern is confirmed as malicious, it can lead to unauthorized access to AWS accounts, potential data breaches, and further compromise of AWS resources. The rule is designed to adapt to various environments by allowing adjustments to bucket span time and thresholds for the upper bound of authentication attempts, ensuring it can be finely tuned based on specific organizational needs.