This detection rule identifies potential brute-force or password spraying attacks targeting Office 365 accounts by monitoring failed login attempts from a single source IP address in Azure Active Directory. It utilizes AzureActiveDirectoryStsLogon logs from Office365 management activity, aggregating data in 5-minute intervals to evaluate the occurrences of failed login attempts. Specifically, it flags any source IP that records more than 10 failed login attempts within a 5-minute timeframe as suspicious. This analytic is critical for organizations to prevent unauthorized access, which may lead to data breaches and further malicious activities through compromised accounts. Implementing this rule involves using Splunk's Microsoft Office 365 Add-on while allowing for configuration adjustments according to individual organizational thresholds to mitigate false positives, such as those caused by legitimate users or broken applications.