FROM logs-o365.audit-*

| MV_EXPAND event.category
| EVAL
    time_window = DATE_TRUNC(5 minutes, @timestamp),
    user_id = TO_LOWER(o365.audit.UserId),
    ip = source.ip,
    login_error = o365.audit.LogonError,
    request_type = TO_LOWER(o365.audit.ExtendedProperties.RequestType),
    asn_org = source.`as`.organization.name,
    country = source.geo.country_name,
    event_time = @timestamp

| WHERE event.dataset == "o365.audit"
  AND event.category == "authentication"
  AND event.provider IN ("AzureActiveDirectory", "Exchange")
  AND event.action IN ("UserLoginFailed", "PasswordLogonInitialAuthUsingPassword")
  AND request_type RLIKE "(oauth.*||.*login.*)"
  AND login_error == "IdsLocked"
  AND user_id != "not available"
  AND o365.audit.Target.Type IN ("0", "2", "6", "10")
  AND asn_org != "MICROSOFT-CORP-MSN-AS-BLOCK"

| STATS
    unique_users = COUNT_DISTINCT(user_id),
    user_id_list = VALUES(user_id),
    ip_list = VALUES(ip),
    unique_ips = COUNT_DISTINCT(ip),
    source_orgs = VALUES(asn_org),
    countries = VALUES(country),
    unique_country_count = COUNT_DISTINCT(country),
    unique_asn_orgs = COUNT_DISTINCT(asn_org),
    request_types = VALUES(request_type),
    first_seen = MIN(event_time),
    last_seen = MAX(event_time),
    total_lockout_responses = COUNT()
  BY time_window

| EVAL
    duration_seconds = DATE_DIFF("seconds", first_seen, last_seen)

| KEEP
    time_window, unique_users, user_id_list, ip_list,
    unique_ips, source_orgs, countries, unique_country_count,
    unique_asn_orgs, request_types, first_seen, last_seen,
    total_lockout_responses, duration_seconds

| WHERE
    unique_users >= 10 AND
    total_lockout_responses >= 10 AND
    duration_seconds <= 300