This detection rule targets a potential password spraying attack on Windows systems using the Kerberos authentication protocol. By monitoring Windows Event Log Security entries, specifically Event Code 4771, the rule identifies instances where a single endpoint fails to authenticate with 30 unique user accounts, all recording an error status of 0x18, indicating incorrect password attempts. The analysis aggregates these authentication failures over a 5-minute period, raising alerts when such patterns are detected. This type of behavior is critical to identify because it may indicate an attacker attempting to compromise user accounts for initial access or privilege escalation in an Active Directory environment. The rule supports proactive security measures by highlighting potentially malicious activities that could lead to unauthorized access and theft of sensitive data.