Detects failed Anthropic SSO login attempts to the organization. The actor is unauthenticated and only the source IP is available; every failure is alerted since SSO failures should be rare in normal operation. The rule correlates related Anthropic.Activity events (sso_login_initiated, sso_login_succeeded, sso_login_failed) within a 1-hour window to determine if the failure is a one-off or part of a burst. It then checks the source IP against threat intelligence feeds or known VPN/proxy services, and whether the IP has appeared in past successful sso_login_succeeded events over the last 30 days to identify known user IPs. MITRE ATT&CK mapping TA0006:T1110 is referenced to contextualize the technique. The Runbook guides triage steps to assess scope and whether the event is isolated or part of ongoing activity. The rule is marked as Medium severity and Experimental status, and is intended to prompt swift investigation of potential brute-force or credential-stuffing attempts targeting SSO.