I'm trying to create a rule to detect possible password spraying. More specifically I'm trying to alert when the same source IP has multiple failed logins with any number of different usernames. We've see attacks like this where a list of usernames can be obtained and one password can be tried on every username in the environment with a pretty high success rate. I created a rule that will alert when 5 or more failed logins from the same source IP over a minute AND when the username changes more than 5 times within 30 seconds on a single host. It doesn't seem to be working and I think it is because the failed login event has the "Has Identity (Flag)" set to false so it doesn't register the username change. Can anybody help me confirm this? If so, does anybody have any ideas how I might be able to accomplish writing this rule?