NordPass - User fails authentication

let threshold = 2;
let filteredData = materialize(
    NordPassEventLogs_CL
    | where event_type == "login" and action == "user_login_failed"
);
let users = filteredData
    | summarize Count = count() by user_email
    | where Count > threshold
    | project user_email;
filteredData  
| where user_email in (users)
| extend TargetEmail = user_email, IPAddress = metadata.ip_address, Provider = metadata.provider

query: |
  let threshold = 2;
  let filteredData = materialize(
      NordPassEventLogs_CL
      | where event_type == "login" and action == "user_login_failed"
  );
  let users = filteredData
      | summarize Count = count() by user_email
      | where Count > threshold
      | project user_email;
  filteredData  
  | where user_email in (users)
  | extend TargetEmail = user_email, IPAddress = metadata.ip_address, Provider = metadata.provider  
queryFrequency: 5m
queryPeriod: 1d
displayName: User fails authentication
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_user_login_failed.yaml
description: |
    This will alert you if a user fails to log in to their NordPass account or SSO authentication three or more times in the last 24 hours.
tactics:
- CredentialAccess
triggerThreshold: 2
entityMappings:
- entityType: Mailbox
  fieldMappings:
  - identifier: MailboxPrimaryAddress
    columnName: TargetEmail
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPAddress
id: 27b261dc-68f3-489a-944f-bc252e0c1960
requiredDataConnectors:
- connectorId: NordPass
  dataTypes:
  - NordPassEventLogs_CL
kind: Scheduled
relevantTechniques:
- T1110
- T1556.003
customDetails:
  Provider: Provider
version: 1.0.0
incidentConfiguration:
  createIncident: false
name: NordPass - User fails authentication
triggerOperator: gt
severity: High