Raw Log Query on Account Logouts

I am working on generating a raw log query from AD - User Acct password has been reset 5 times within 10 minutes. I can query on the event ID, and can set the threshold, but I am not sure how to key the query to check and see if it’s the same account for that threshold?

@mkarolitzky is the goal to build a custom detection rule from this query? If so you would set the threshold in the Groupby section like this

Screenshot 2024-07-09 at 1.12.39 PM

Excellent! Thanks. I now understand how that function is used.

Much Appreciated!