This detection rule monitors for potential brute force login attempts to Microsoft 365 accounts. It triggers when a specific user is denied access after a series of failed login attempts, suggesting that an attacker may be trying to compromise their account. The rule focuses on the events logged in Azure Active Directory, particularly when a user account experiences multiple failed login attempts, reaching a defined threshold. The detection is particularly relevant in scenarios where repeated failures originate from the same IP address, revealing attempts to gain unauthorized access. Investigating these events involves analyzing the originating IP and the actions taken around those login failures, which aids in assessing whether the attempts were malicious and if any remediation is necessary. The rule is classified under the MITRE ATT&CK framework as part of techniques related to credential access and brute force attacks (TA0006:T1110).