Update ExcessiveLogonFailures.yaml

Detections/SecurityEvent/ExcessiveLogonFailures.yaml

@@ -34,6 +34,7 @@ query: |
       | summarize CountPrev7day = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress
   ) on EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress
   | where CountToday >= coalesce(CountPrev7day,0)*threshold and CountToday >= countlimit
+  //SubStatus Codes are detailed here - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4625
   | extend Reason = case(
   SubStatus =~ '0xC000005E', 'There are currently no logon servers available to service the logon request.',
   SubStatus =~ '0xC0000064', 'User logon with misspelled or bad user account',