API - Password Cracking

let loginRec = apifirewall_log_1_CL
| where TimeGenerated >= ago(5m) 
| project-away Non_blocking_mode_b, Source_Port_d, Destination_Port_d, Query_s, API_ID_g, Request_Header_s, Response_Header_s, Errors_s, Type, UUID_g
| where Instance_Name_s == "Instance_2" and URI_Path_s has "/api/login?user=" and Status_d == 403;
let recCount = iff((toscalar(loginRec | count) > 10), 1, 0);
loginRec | take recCount

description: |
    '42Crunch API protection against password cracking'
kind: Scheduled
tactics:
- CredentialAccess
requiredDataConnectors:
- connectorId: 42CrunchAPIProtection
  dataTypes:
  - apifirewall_log_1_CL
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/42Crunch API Protection/Analytic Rules/APIPasswordCracking.yaml
severity: High
name: API - Password Cracking
customDetails: 
triggerThreshold: 0
queryPeriod: 5m
query: |
  let loginRec = apifirewall_log_1_CL
  | where TimeGenerated >= ago(5m) 
  | project-away Non_blocking_mode_b, Source_Port_d, Destination_Port_d, Query_s, API_ID_g, Request_Header_s, Response_Header_s, Errors_s, Type, UUID_g
  | where Instance_Name_s == "Instance_2" and URI_Path_s has "/api/login?user=" and Status_d == 403;
  let recCount = iff((toscalar(loginRec | count) > 10), 1, 0);
  loginRec | take recCount  
relevantTechniques:
- T1110
- T1555
- T1187
id: d951d64d-0ecd-4675-8c79-6c870d5f72ac
queryFrequency: 5m
status: Available
version: 1.0.0
triggerOperator: gt
eventGroupingSettings:
  aggregationKind: SingleAlert
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: Source_IP_s
    identifier: Address
- entityType: Host
  fieldMappings:
  - columnName: Hostname_s
    identifier: HostName
- entityType: Account
  fieldMappings:
  - columnName: Instance_Name_s
    identifier: FullName