This detection rule is designed to identify potential brute-force login attempts against Microsoft 365 user accounts utilizing Azure Entra ID. It works by monitoring for a high volume of failed interactive or non-interactive login attempts originating from a single IP address within a 30-minute timeframe. The rule focuses on detecting attempts to infiltrate Microsoft 365 services such as Exchange, SharePoint, and Teams, which adversaries may exploit to gain unauthorized access. The logic within the rule consists of querying Azure sign-in logs to filter for failed authentication events related to Microsoft 365 services and subsequently counting the number of distinct user accounts targeted by these attempts. A threshold of at least 10 unique failed logins from a single IP triggers an alert, indicating a potential brute-force attack may be occurring. False positives can arise from automated login attempts, shared IPs, or legitimate user behavior, necessitating careful analysis and potential exclusions. Recommended investigatory steps include reviewing source IP addresses for associations with malicious activity, analyzing targeted user accounts, and checking which Microsoft services were potentially impacted.