Failed host logons but success logon to AzureAD

//Adjust this threshold to fit environment
let signin_threshold = 5; 
//Make a list of IPs with failed Windows host logins above threshold
let win_fails = 
SecurityEvent
| where EventID == 4625
| where LogonType in (10, 7, 3)
| where IpAddress != "-"
| summarize count() by IpAddress
| where count_ > signin_threshold
| summarize make_list(IpAddress);
let wef_fails =
WindowsEvent
| where EventID == 4625
| extend LogonType = tostring(EventData.LogonType)
| where LogonType in (10, 7, 3)
| extend IpAddress = tostring(EventData.IpAddress)
| where IpAddress != "-"
| summarize count() by IpAddress
| where count_ > signin_threshold
| summarize make_list(IpAddress);
//Make a list of IPs with failed *nix host logins above threshold
let nix_fails = 
Syslog
| where Facility contains 'auth' and ProcessName != 'sudo' and SyslogMessage has 'from' and not(SyslogMessage has_any ('Disconnecting', 'Disconnected', 'Accepted', 'disconnect', @'[preauth]'))
| extend SourceIP = extract("(([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.(([0-9]{1,3})))",1,SyslogMessage)
| where SourceIP != "" and SourceIP != "127.0.0.1"
| summarize count() by SourceIP
| where count_ > signin_threshold
| summarize make_list(SourceIP);
//See if any of the IPs with failed host logins hve had a sucessful Azure AD login
let aadFunc = (tableName:string){
table(tableName)
| where ResultType in ("0", "50125", "50140")
| where IPAddress in (win_fails) or IPAddress in (nix_fails) or IPAddress in (wef_fails)
| extend Reason=  "Multiple failed host logins from IP address with successful Azure AD login"
| extend timestamp = TimeGenerated, Type = Type
| extend AccountName = tostring(split(UserPrincipalName, "@")[0]), AccountUPNSuffix = tostring(split(UserPrincipalName, "@")[1])
};
let aadSignin = aadFunc("SigninLogs");
let aadNonInt = aadFunc("AADNonInteractiveUserSignInLogs");
union isfuzzy=true aadSignin, aadNonInt

requiredDataConnectors:
- connectorId: AzureActiveDirectory
  dataTypes:
  - SigninLogs
- connectorId: AzureActiveDirectory
  dataTypes:
  - AADNonInteractiveUserSignInLogs
- connectorId: SecurityEvents
  dataTypes:
  - SecurityEvent
- connectorId: Syslog
  dataTypes:
  - Syslog
- connectorId: WindowsSecurityEvents
  dataTypes:
  - SecurityEvents
- connectorId: WindowsForwardedEvents
  dataTypes:
  - WindowsEvent
relevantTechniques:
- T1078
- T1110
name: Failed host logons but success logon to AzureAD
queryFrequency: 1d
triggerThreshold: 0
severity: Medium
metadata:
  support:
    tier: Community
  categories:
    domains:
    - Security - Others
    - Identity
  source:
    kind: Community
  author:
    name: Microsoft Security Research
query: |
  //Adjust this threshold to fit environment
  let signin_threshold = 5; 
  //Make a list of IPs with failed Windows host logins above threshold
  let win_fails = 
  SecurityEvent
  | where EventID == 4625
  | where LogonType in (10, 7, 3)
  | where IpAddress != "-"
  | summarize count() by IpAddress
  | where count_ > signin_threshold
  | summarize make_list(IpAddress);
  let wef_fails =
  WindowsEvent
  | where EventID == 4625
  | extend LogonType = tostring(EventData.LogonType)
  | where LogonType in (10, 7, 3)
  | extend IpAddress = tostring(EventData.IpAddress)
  | where IpAddress != "-"
  | summarize count() by IpAddress
  | where count_ > signin_threshold
  | summarize make_list(IpAddress);
  //Make a list of IPs with failed *nix host logins above threshold
  let nix_fails = 
  Syslog
  | where Facility contains 'auth' and ProcessName != 'sudo' and SyslogMessage has 'from' and not(SyslogMessage has_any ('Disconnecting', 'Disconnected', 'Accepted', 'disconnect', @'[preauth]'))
  | extend SourceIP = extract("(([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.(([0-9]{1,3})))",1,SyslogMessage)
  | where SourceIP != "" and SourceIP != "127.0.0.1"
  | summarize count() by SourceIP
  | where count_ > signin_threshold
  | summarize make_list(SourceIP);
  //See if any of the IPs with failed host logins hve had a sucessful Azure AD login
  let aadFunc = (tableName:string){
  table(tableName)
  | where ResultType in ("0", "50125", "50140")
  | where IPAddress in (win_fails) or IPAddress in (nix_fails) or IPAddress in (wef_fails)
  | extend Reason=  "Multiple failed host logins from IP address with successful Azure AD login"
  | extend timestamp = TimeGenerated, Type = Type
  | extend AccountName = tostring(split(UserPrincipalName, "@")[0]), AccountUPNSuffix = tostring(split(UserPrincipalName, "@")[1])
  };
  let aadSignin = aadFunc("SigninLogs");
  let aadNonInt = aadFunc("AADNonInteractiveUserSignInLogs");
  union isfuzzy=true aadSignin, aadNonInt  
tactics:
- InitialAccess
- CredentialAccess
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HostAADCorrelation.yaml
version: 1.1.5
entityMappings:
- fieldMappings:
  - columnName: UserPrincipalName
    identifier: FullName
  - columnName: AccountName
    identifier: Name
  - columnName: AccountUPNSuffix
    identifier: UPNSuffix
  entityType: Account
- fieldMappings:
  - columnName: IPAddress
    identifier: Address
  entityType: IP
queryPeriod: 1d
triggerOperator: gt
id: 1ce5e766-26ab-4616-b7c8-3b33ae321e80
kind: Scheduled
description: |
  'Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts.
  Uses that list to identify any successful logons to Microsoft Entra ID from these IPs within the same timeframe.'