Mimecast Audit - Logon Authentication Failed

MimecastAudit 
| where ['Source IP'] !="" and ['Audit Type'] == "Logon Authentication Failed"
| extend   SourceIp = ['Source IP'] 

version: 1.0.1
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastAudit/Mimecast_Audit.yaml
customDetails: 
description: Detects threat when logon authentication failure found in audit
suppressionEnabled: false
queryFrequency: 30m
enabled: true
tactics:
- Discovery
- InitialAccess
- CredentialAccess
triggerThreshold: 3
id: f00197ab-491f-41e7-9e22-a7003a4c1e54
query: |
  MimecastAudit 
  | where ['Source IP'] !="" and ['Audit Type'] == "Logon Authentication Failed"
  | extend   SourceIp = ['Source IP']   
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    reopenClosedIncident: false
    matchingMethod: AllEntities
    enabled: true
    lookbackDuration: P7D
severity: High
eventGroupingSettings:
  aggregationKind: SingleAlert
displayName: Mimecast Audit - Logon Authentication Failed
alertDetailsOverride: 
alertRuleTemplateName: 
queryPeriod: 30m
relevantTechniques:
- T1110
suppressionDuration: 5h
entityMappings:
- fieldMappings:
  - columnName: SourceIp
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: User
    identifier: MailboxPrimaryAddress
  entityType: Mailbox
- fieldMappings:
  - columnName: Application
    identifier: AppId
  entityType: CloudApplication
name: Mimecast Audit - Logon Authentication Failed
kind: Scheduled
requiredDataConnectors:
- connectorId: MimecastAuditAPI
  dataTypes:
  - MimecastAudit