I written below KQL with help from community but not able to create custom entity in Set Rule Logic. I need to mapping FailedAttempt field but no option in entity field.
let threshold=2;
let authenticationWindow = 5m;
let Logs = SigninLogs
//| where UserPrincipalName == "email address removed for privacy reasons"
| where UserPrincipalName == "email address removed for privacy reasons"
| where ResultDescription has_any ("Invalid username or password", "Invalid on-premise username or password");
Logs
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated)
by
bin(TimeGenerated, authenticationWindow),
UserPrincipalName,
ResultDescription,
AppDisplayName,
IPAddress,
Location
| join kind=inner (
Logs
| summarize FailedAttempt = count() by ResultDescription, UserPrincipalName, AppDisplayName, IPAddress, Location
| where FailedAttempt >= ["threshold"]
)
on UserPrincipalName, AppDisplayName, ResultDescription, IPAddress, Location
| project-away UserPrincipalName1, AppDisplayName1, ResultDescription1, IPAddress1, Location1
only these field are coming so how can i map faild attempt