marcredhat-kql/kql/15_slow_brute_force.kql

let codes = dynamic([50053,50126,50055,50057,50155,50105,50133,50005,50076,
                                50079,50173,50158,50072,50074,53003,53000,53001,50129]);
SigninLogs
| where TimeGenerated > ago(1d) | where ResultType in (codes)
| summarize FailedAttempts = count(), UniqueUsers = dcount(UserPrincipalName)
    by IPAddress
| where FailedAttempts > 5 and UniqueUsers > 5