This analytic detection rule is designed to identify anomalous NTLM authentication attempts where a single user account makes an unusual number of NTLM authentication requests to multiple destination hosts. This type of behavior is indicative of potential brute force or password spraying attacks on Windows machines within a domain environment. The rule utilizes Event ID 8004 from NTLM operational logs to perform analysis and employs statistical methods to evaluate the frequency of unique destination auths by each user, flagging any activity that significantly deviates from established thresholds. Its detection capabilities are enhanced by filtering out self-authentication attempts and calculating upper bounds for normal behavior, thus improving the accuracy of the threat detection.