Password spraying - rules for sustained testing

Hi all, hope you’re having a great day.

Does anyone have any tips on getting an alert setup for sustained password spraying on an onprem exchange server over a period of time (2 weeks) I’ve had a think about it but I’m not an expert.

We’re moving to exchange online shortly but would like something in the meantime if it’s possible. we have OWA disabled but they can still spray until they auth and get a “denied” so technically they then know the password is valid they just can’t use it there.