Multiple failed attempts of NetBackup login

NetBackupAlerts_CL
| where operation_s contains "LOGIN" and Message contains "authentication failed" 
| extend userName =  split(userName_s, "@")[0]
| extend host = split(userName_s, "@")[1] 
| summarize Total=count() by tostring(host)
| where Total >= 5

incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: 5h
    matchingMethod: AllEntities
    reopenClosedIncident: false
    enabled: false
description: This rule generates an incident when there are more than 5 failed login attemts for a given host in the last 15 minutes.
tactics:
- CredentialAccess
- Discovery
version: 1.0.0
query: |-
  NetBackupAlerts_CL
  | where operation_s contains "LOGIN" and Message contains "authentication failed" 
  | extend userName =  split(userName_s, "@")[0]
  | extend host = split(userName_s, "@")[1] 
  | summarize Total=count() by tostring(host)
  | where Total >= 5  
eventGroupingSettings:
  aggregationKind: SingleAlert
severity: Medium
suppressionDuration: PT5H
queryPeriod: 15m
id: d39f0c47-2e85-49b9-a686-388c2eb7062c
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veritas NetBackup/Analytic Rules/NetBackup_many_login_fail.yaml
triggerOperator: gt
requiredDataConnectors: []
triggerThreshold: 0
name: Multiple failed attempts of NetBackup login
kind: Scheduled
status: Available
suppressionEnabled: false
relevantTechniques:
- T1110
- T1212
entityMappings:
- fieldMappings:
  - columnName: host
    identifier: HostName
  entityType: Host
queryFrequency: 15m