diff --git a/rules/cloud/azure/azure_aad_secops _signin_failure_bad_password_threshold.yml b/rules/cloud/azure/azure_aad_secops _signin_failure_bad_password_threshold.yml
new file mode 100644
index 000000000..89e333ff3
--- /dev/null
+++ b/rules/cloud/azure/azure_aad_secops _signin_failure_bad_password_threshold.yml	
@@ -0,0 +1,27 @@
+title: Sign-in failure Bad Password Threshold
+id: dff74231-dbed-42ab-ba49-83289be2ac3a
+description: Define a baseline threshold and then monitor and adjust to suit your organizational behaviors and limit false alerts from being generated.
+author: Corissa Koopmans, '@corissalea'
+date: 2022/04/21
+references:
+  - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor
+logsource:
+  product: azure
+  service: signinlogs
+detection:
+  selection:
+    ResultType: 50126
+    ResultDescription: Invalid username or password or Invalid on-premises username or password.
+  filter_computer:
+    TargetUserName|endswith: '$'
+  condition: selection and not filter_computer | count(TargetUserName) by IpAddress > 10
+falsepositives:
+  - Failed Azure AD Connect Synchronization
+  - Service account use with an incorrect password specified
+  - Misconfigured systems
+  - Vulnerability scanners
+level: high
+status: experimental
+tags:
+  - attack.bruteforce
+  - attack.t1110