This rule identifies potential password spraying attempts in a Windows environment, specifically when a single source user fails to authenticate with 30 unique users using explicit credentials. It leverages Windows Event Log ID 4648, which is generated whenever a process attempts to log on using specified account credentials. Such behavior is uncommon in typical system usage and could indicate a malicious attempt to access multiple user accounts, marking it as a significant security concern. The detection mechanism relies on ingesting Windows Event Logs while ensuring that appropriate security audit policies are enabled. In the context of Active Directory, this rule helps detect unauthorized access attempts that could lead to privilege escalation and compromise of sensitive information.