This detection rule identifies failed AWS console login attempts due to authentication failures, which is critical for identifying potential brute-force attacks or unauthorized access attempts to AWS accounts. It specifically monitors CloudTrail events for the 'ConsoleLogin' action with an error message indicating a failed authentication. The importance of this rule lies in its ability to enhance security monitoring within AWS environments by detecting patterns indicative of credential stuffing or unauthorized access attempts. Given that these kinds of login failures may precede significant security incidents, proactive monitoring is essential. The rule has been marked as 'experimental', reflecting ongoing adjustments and testing to refine detection capabilities. It is vital to investigate not only the failed attempts but also their source, as legitimate users might also trigger such alerts during password changes or lockouts.