This detection rule identifies unusual authentication patterns on Windows environments, specifically focusing on failed attempts to authenticate multiple valid users via the Kerberos protocol. When a source endpoint experiences a high count of failed authentication attempts (identified by Windows Event Code 4771), it may indicate a Password Spraying attack, which is a technique used by attackers to gain unauthorized access through the exploitation of valid usernames with commonly used passwords. The rule employs statistical anomaly detection using the 3-sigma rule to flag instances where the number of unique failed authentications significantly deviates from the norm. Events where the Key Distribution Center cannot issue a Ticket Granting Ticket (TGT) due to a wrong password trigger the rule, which helps in the early detection of potential malicious activities aimed at compromising user accounts within an Active Directory setup. Implementation necessitates monitoring Domain Controller logs and configuring the appropriate Advanced Security Auditing settings to capture relevant Kerberos events.