SlackAudit - Multiple failed logins for user

let threshold = 10;
SlackAudit
| where DvcAction in~ ('user_login_failed')
| summarize FailedLogins = count() by SrcUserName, bucket = bin(TimeGenerated, 5m)
| where FailedLogins > threshold
| extend AccountCustomEntity = SrcUserName
| project SrcUserName, bucket, FailedLogins, AccountCustomEntity

status: Available
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
query: |
  let threshold = 10;
  SlackAudit
  | where DvcAction in~ ('user_login_failed')
  | summarize FailedLogins = count() by SrcUserName, bucket = bin(TimeGenerated, 5m)
  | where FailedLogins > threshold
  | extend AccountCustomEntity = SrcUserName
  | project SrcUserName, bucket, FailedLogins, AccountCustomEntity  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditMultipleFailedLoginsForUser.yaml
tactics:
- CredentialAccess
triggerThreshold: 0
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
requiredDataConnectors:
- connectorId: SlackAuditAPI
  dataTypes:
  - SlackAudit_CL
kind: Scheduled
relevantTechniques:
- T1110
customDetails:
  TimeBucket: bucket
  FailedLogins: FailedLogins
  UserAccount: SrcUserName
description: |
  'Identifies multiple failed Slack logins for a user account within a short time window, which may indicate password
  guessing or brute-force activity.'  
name: SlackAudit - Multiple failed logins for user
version: 1.0.1
id: 93a91c37-032c-4380-847c-957c001957ad
severity: Medium