This detection rule monitors for unsuccessful login attempts to the AWS root account console, specifically tracking failed `ConsoleLogin` events via AWS CloudTrail logs. The rule is set to trigger an alert when there are 5 or more failed login attempts within a 15-minute period, indicating a possible brute-force attack or unauthorized access attempt. Key attributes such as the user agent, source IP address, and recipient account ID are captured for forensic analysis. The implementation also includes tests to validate the rule's effectiveness by simulating both failed and successful login events, as well as events that are not related to console login attempts. Any failed attempts will generate alerts for the security team to investigate potential credential abuse, ensuring that the integrity of the root account is maintained.