NordPass - User fails authentication

let threshold = 2;
let filteredData = materialize(
    NordPassEventLogs_CL
    | where event_type == "login" and action == "user_login_failed"
);
let users = filteredData
    | summarize Count = count() by user_email
    | where Count > threshold
    | project user_email;
filteredData  
| where user_email in (users)
| extend TargetEmail = user_email, IPAddress = metadata.ip_address, Provider = metadata.provider

customDetails:
  Provider: Provider
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_user_login_failed.yaml
query: |
  let threshold = 2;
  let filteredData = materialize(
      NordPassEventLogs_CL
      | where event_type == "login" and action == "user_login_failed"
  );
  let users = filteredData
      | summarize Count = count() by user_email
      | where Count > threshold
      | project user_email;
  filteredData  
  | where user_email in (users)
  | extend TargetEmail = user_email, IPAddress = metadata.ip_address, Provider = metadata.provider  
requiredDataConnectors:
- dataTypes:
  - NordPassEventLogs_CL
  connectorId: NordPass
incidentConfiguration:
  createIncident: false
relevantTechniques:
- T1110
- T1556.003
kind: Scheduled
name: NordPass - User fails authentication
tactics:
- CredentialAccess
severity: High
entityMappings:
- fieldMappings:
  - identifier: MailboxPrimaryAddress
    columnName: TargetEmail
  entityType: Mailbox
- fieldMappings:
  - identifier: Address
    columnName: IPAddress
  entityType: IP
displayName: User fails authentication
triggerOperator: gt
description: |
    This will alert you if a user fails to log in to their NordPass account or SSO authentication three or more times in the last 24 hours.
queryFrequency: 5m
triggerThreshold: 2
queryPeriod: 1d
version: 1.0.0
id: 27b261dc-68f3-489a-944f-bc252e0c1960