This analytic detects potential Splunk user enumeration attempts by monitoring failed authentication events in the internal _audit index. It uses a Splunk search to count failed authentications per user and source, triggers when a source experiences more than five failed attempts for any user, and then aggregates total failed attempts by source. The rule flags a likely probe by an attacker trying to identify valid usernames, a common precursor to password spraying or brute-force access attempts against the Splunk environment. It leverages existing data (no new ingestion required) and references a Splunk security advisory. When triggered, the finding highlights the implicated source IP and the targeted usernames, enabling rapid investigation, containment, and remediation actions. The rule aligns with T1078 (Valid Accounts) and is relevant to Splunk products (Enterprise, Enterprise Security, Cloud). Mitigation involves confirming legitimacy, reviewing recent authentication activity, and applying Splunk updates or access controls as needed. False positives may arise from automated maintenance or credential rotation processes.