The analytic rule Azure AD Multiple Users Failing To Authenticate From Ip aims to detect potential Password Spraying attacks within an Azure Active Directory environment. This type of attack occurs when a malicious actor attempts to gain unauthorized access to multiple user accounts by systematically trying a small set of commonly used passwords across numerous accounts. The detection logic uses Azure AD SignInLogs specifically looking for instances where a single source IP has failed to authenticate with 30 unique valid users within a time span of just 5 minutes. The relevant error code for invalid passwords (error code 50126) is monitored to identify these occurrences. If such behavior is confirmed malicious, it poses a significant risk of unauthorized access, potential data breaches, or account compromises. To utilize this rule, organizations must ensure their Splunk environment is correctly configured to ingest Azure Active Directory logs via the appropriate EventHub sources and must be employing the latest Splunk Add-on for Microsoft Cloud Services.