NordPass - User fails authentication

let threshold = 2;
let filteredData = materialize(
    NordPassEventLogs_CL
    | where event_type == "login" and action == "user_login_failed"
);
let users = filteredData
    | summarize Count = count() by user_email
    | where Count > threshold
    | project user_email;
filteredData  
| where user_email in (users)
| extend TargetEmail = user_email, IPAddress = metadata.ip_address, Provider = metadata.provider

queryPeriod: 1d
query: |
  let threshold = 2;
  let filteredData = materialize(
      NordPassEventLogs_CL
      | where event_type == "login" and action == "user_login_failed"
  );
  let users = filteredData
      | summarize Count = count() by user_email
      | where Count > threshold
      | project user_email;
  filteredData  
  | where user_email in (users)
  | extend TargetEmail = user_email, IPAddress = metadata.ip_address, Provider = metadata.provider  
incidentConfiguration:
  createIncident: false
name: NordPass - User fails authentication
entityMappings:
- fieldMappings:
  - columnName: TargetEmail
    identifier: MailboxPrimaryAddress
  entityType: Mailbox
- fieldMappings:
  - columnName: IPAddress
    identifier: Address
  entityType: IP
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_user_login_failed.yaml
description: |
    This will alert you if a user fails to log in to their NordPass account or SSO authentication three or more times in the last 24 hours.
kind: Scheduled
version: 1.0.0
displayName: User fails authentication
queryFrequency: 5m
severity: High
requiredDataConnectors:
- connectorId: NordPass
  dataTypes:
  - NordPassEventLogs_CL
triggerOperator: gt
triggerThreshold: 2
customDetails:
  Provider: Provider
tactics:
- CredentialAccess
id: 27b261dc-68f3-489a-944f-bc252e0c1960
relevantTechniques:
- T1110
- T1556.003