This detection rule employs a 3-sigma statistical method to identify and alert on potential distributed password spraying attacks targeting Azure Active Directory (AAD) accounts. A password spray attack is characterized by an adversary attempting to gain unauthorized access by systematically using a limited set of commonly-used passwords across a large number of user accounts, often from multiple IP addresses to evade detection. The detection is executed via Splunk’s Authentication Data Model, ensuring it encompasses all authentication events aligned with the Common Information Model (CIM). The primary objective is to trigger alerts when unique accounts experiencing failed login attempts exceed a defined statistical anomaly threshold, indicating potential account compromise activities. The rule aggregates authentication failures over a 10-minute window, measuring deviations from average unique accounts and source counts to classify events as outliers. Security teams can leverage this detection to enhance visibility of potential credential-based attacks in their environment.