This detection rule aims to identify suspicious login failure patterns that could indicate a brute force attack on user accounts. Adversaries often utilize a small set of commonly used passwords to compromise accounts, leading to multiple login attempts that fail. The rule specifically tracks Windows Event ID 4625, which represents failed logon attempts, and aggregates these events over time to identify potential brute force activities. The analysis is performed using Splunk, where specific endpoint data is collected, focusing on user, host, and process information pertinent to failed logins. The detection logic filters for instances where an account experiences more than two failed login attempts within a specified time span of 60 seconds, thereby highlighting unusual or suspicious login behavior that may warrant further investigation. This rule is relevant for monitoring targeted attacks by known threat actors such as LUCR-3, Scattered Spider (also known as 0ktapus, UNC3944), and Volt Typhoon.