The rule detects potential brute-force attacks against Microsoft 365 user accounts by monitoring failed login attempts within a 30-minute timeframe. It particularly focuses on high volumes of interactive or non-interactive login failures, suggesting unauthorized access attempts via services like Exchange, SharePoint, or Teams. The analysis leverages Azure Entra ID sign-in logs, evaluating patterns of failed logins such as unusual activity from multiple sources or excessive failed attempts, which may indicate a brute-force attack. Investigation should involve scrutinizing targeted user accounts, the origin of failed login attempts, affected Microsoft 365 services, and error codes for contextual details. It's critical to consider false positives from legitimate automated processes or user behaviors, implementing exclusions where necessary. The responses necessitate immediate actions such as account isolation, password resets, and the enablement of multi-factor authentication (MFA) for affected accounts.