LoFP / the threshold for alert is above 10 attempts and this should reduce the number of false positives.

`o365_management_activity` Workload=AzureActiveDirectory UserAuthenticationMethod=* status=failure 
| stats count earliest(_time) AS firstTime latest(_time) AS lastTime values(UserAuthenticationMethod) AS UserAuthenticationMethod values(UserAgent) AS UserAgent values(status) AS status values(src_ip) AS src_ip by user 
| where count > 10 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `o365_excessive_authentication_failures_alert_filter`