This Senitel Rule wasn’t the clearest with what was causing these

I updated the rule to the below and also whitelisted some false positives

DeviceNetworkEvents
| where ActionType == "ConnectionFailed"
// Rename LocalIP to SrcIpAddr early so it flows through to final output
| extend SrcIpAddr = LocalIP
| summarize Count = count() by 
    DeviceName,
    DeviceId,
    SrcIpAddr,
    InitiatingProcessFileName,
    InitiatingProcessCommandLine,
    bin(Timestamp, 5m)
| where Count > 100
| summarize 
    TotalCount = sum(Count),
    FirstSeen = min(Timestamp),
    LastSeen = max(Timestamp)
    by
    DeviceName,
    DeviceId,
    SrcIpAddr,
    InitiatingProcessFileName,
    InitiatingProcessCommandLine
| extend threshold = 5000
| order by TotalCount desc

## Then Fix the Wizard Settings **Entity Mapping:** | Field | Value | |—|—| | Entity type | IP | | Identifier | Address | | Column | `SrcIpAddr` ? | **Custom Details:** | Key | Value | |—|—| | NumberOfDenies | `TotalCount` ? | **Alert Name Format:** “` Excessive number of failed connections from {{SrcIpAddr}} “` **Alert Description Format:** “` The client at address {{SrcIpAddr}} generated more than {{threshold}} failures over a 5 minutes time window, which may indicate malicious activity.