API - Password Cracking

let loginRec = apifirewall_log_1_CL
| where TimeGenerated >= ago(5m) 
| project-away Non_blocking_mode_b, Source_Port_d, Destination_Port_d, Query_s, API_ID_g, Request_Header_s, Response_Header_s, Errors_s, Type, UUID_g
| where Instance_Name_s == "Instance_2" and URI_Path_s has "/api/login?user=" and Status_d == 403;
let recCount = iff((toscalar(loginRec | count) > 10), 1, 0);
loginRec | take recCount

customDetails: 
description: |
    '42Crunch API protection against password cracking'
triggerThreshold: 0
eventGroupingSettings:
  aggregationKind: SingleAlert
queryPeriod: 5m
triggerOperator: gt
kind: Scheduled
relevantTechniques:
- T1110
- T1555
- T1187
query: |
  let loginRec = apifirewall_log_1_CL
  | where TimeGenerated >= ago(5m) 
  | project-away Non_blocking_mode_b, Source_Port_d, Destination_Port_d, Query_s, API_ID_g, Request_Header_s, Response_Header_s, Errors_s, Type, UUID_g
  | where Instance_Name_s == "Instance_2" and URI_Path_s has "/api/login?user=" and Status_d == 403;
  let recCount = iff((toscalar(loginRec | count) > 10), 1, 0);
  loginRec | take recCount  
queryFrequency: 5m
requiredDataConnectors:
- connectorId: 42CrunchAPIProtection
  dataTypes:
  - apifirewall_log_1_CL
name: API - Password Cracking
severity: High
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: Source_IP_s
  entityType: IP
- fieldMappings:
  - identifier: HostName
    columnName: Hostname_s
  entityType: Host
- fieldMappings:
  - identifier: FullName
    columnName: Instance_Name_s
  entityType: Account
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/42Crunch API Protection/Analytic Rules/APIPasswordCracking.yaml
status: Available
id: d951d64d-0ecd-4675-8c79-6c870d5f72ac
tactics:
- CredentialAccess