Versasec CMS - Multiple Failed Login Attempts

let threshold = 5;
VersasecCmsSysLogs 
| where EventId == 2 
| sort by ComputerName asc, TimeGenerated asc
| extend TimeDiff = datetime_diff('minute', TimeGenerated, prev(TimeGenerated))
| where TimeDiff <= threshold and ComputerName == prev(ComputerName)

entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: ComputerName
tactics:
- CredentialAccess
requiredDataConnectors:
- dataTypes:
  - VersasecCmsSysLogs
  connectorId: VersasecCms
incidentConfiguration:
  groupingConfiguration:
    enabled: false
    lookbackDuration: 5m
    reopenClosedIncident: false
    matchingMethod: AllEntities
  createIncident: true
id: B1DB8B7E-9D74-48C3-9683-74483CBEFF4E
severity: High
eventGroupingSettings:
  aggregationKind: SingleAlert
status: Available
query: |
  let threshold = 5;
  VersasecCmsSysLogs 
  | where EventId == 2 
  | sort by ComputerName asc, TimeGenerated asc
  | extend TimeDiff = datetime_diff('minute', TimeGenerated, prev(TimeGenerated))
  | where TimeDiff <= threshold and ComputerName == prev(ComputerName)  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VersasecCMS/Analytic Rules/VersasecCmsOperatorLoginFailed.yaml
kind: Scheduled
queryPeriod: 1h
version: 1.0.1
name: Versasec CMS - Multiple Failed Login Attempts
queryFrequency: 5m
triggerThreshold: 5
relevantTechniques:
- T1110
description: |
    Detects when Operator login failed to often.
triggerOperator: gt