Mimecast Audit - Logon Authentication Failed

MimecastAudit_CL | where src_s !="" and auditType_s == "Logon Authentication Failed"

triggerThreshold: 3
name: Mimecast Audit - Logon Authentication Failed
alertDetailsOverride: 
description: Detects threat when logon authentication failure found in audit
kind: Scheduled
queryFrequency: 5m
relevantTechniques:
- T1110
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastAudit/Analytic Rules/MimecastAudit.yaml
customDetails: 
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    lookbackDuration: 1d
    enabled: true
    matchingMethod: AllEntities
  createIncident: true
apiVersion: 2021-09-01-preview
suppressionDuration: 5h
triggerOperator: gt
version: 1.0.0
displayName: Mimecast Audit - Logon Authentication Failed
alertRuleTemplateName: 
requiredDataConnectors:
- connectorId: MimecastAuditAPI
  dataTypes:
  - MimecastAudit_CL
suppressionEnabled: false
id: 9c5dcd76-9f6d-42a3-b984-314b52678f20
query: MimecastAudit_CL | where src_s !="" and auditType_s == "Logon Authentication Failed"
severity: High
queryPeriod: 15m
tactics:
- Discovery
- InitialAccess
- CredentialAccess
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: src_s
    identifier: Address
- entityType: Mailbox
  fieldMappings:
  - columnName: user_s
    identifier: MailboxPrimaryAddress
- entityType: CloudApplication
  fieldMappings:
  - columnName: app_s
    identifier: AppId
enabled: true
eventGroupingSettings:
  aggregationKind: SingleAlert