This detection rule monitors failed authentication attempts against an MSSQL server that originate from external network IP addresses. It is designed to help identify potential brute-force attacks, which often feature multiple failed login attempts within a short period. By filtering log events where the provider name includes 'MSSQL' and the event ID is 18456, it captures instances where a login failure occurs. The filter further restricts the detection to exclude internal IP address ranges commonly used in local network configurations, such as those starting with 10.x, 172.16.x, and 192.168.x. This ensures that false positives from legitimate internal access attempts do not trigger alerts. The rule is particularly useful in enterprise environments where MSSQL is exposed to the internet, thus enhancing security posture against unauthorized access attempts and potential attacks.