Mimecast Audit - Logon Authentication Failed

MimecastAudit_CL | where src_s !="" and auditType_s == "Logon Authentication Failed"

triggerThreshold: 3
displayName: Mimecast Audit - Logon Authentication Failed
triggerOperator: gt
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: src_s
  entityType: IP
- fieldMappings:
  - identifier: MailboxPrimaryAddress
    columnName: user_s
  entityType: Mailbox
- fieldMappings:
  - identifier: AppId
    columnName: app_s
  entityType: CloudApplication
kind: Scheduled
version: 1.0.0
eventGroupingSettings:
  aggregationKind: SingleAlert
apiVersion: 2021-09-01-preview
name: Mimecast Audit - Logon Authentication Failed
customDetails: 
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastAudit/Analytic Rules/MimecastAudit.yaml
severity: High
suppressionEnabled: false
query: MimecastAudit_CL | where src_s !="" and auditType_s == "Logon Authentication Failed"
queryFrequency: 5m
id: 9c5dcd76-9f6d-42a3-b984-314b52678f20
description: Detects threat when logon authentication failure found in audit
relevantTechniques:
- T1110
alertDetailsOverride: 
requiredDataConnectors:
- dataTypes:
  - MimecastAudit_CL
  connectorId: MimecastAuditAPI
suppressionDuration: 5h
enabled: true
incidentConfiguration:
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    matchingMethod: AllEntities
    lookbackDuration: 1d
  createIncident: true
alertRuleTemplateName: 
tactics:
- Discovery
- InitialAccess
- CredentialAccess
queryPeriod: 15m