Update MultipleFailedFollowedBySuccess.yaml

Detections/SecurityEvent/MultipleFailedFollowedBySuccess.yaml

@@ -12,7 +12,7 @@ requiredDataConnectors:
     dataTypes:
       - SecurityEvent
 queryFrequency: 6h
-queryPeriod: 6d
+queryPeriod: 6h
 triggerOperator: gt
 triggerThreshold: 0
 tactics:
@@ -45,4 +45,6 @@ query: |
     | project-away SessionStartedUtc, list_Outcome 
     // where the number of failures before the success is above the threshold 
     | where FailureCountBeforeSuccess >= authenticationThreshold
-    | extend timestamp=StartTime, CustomAccountEntity=Account
+    // expand out ip and computer for customer entity assignment
+    | mvexpand IpAddress=set_IpAddress, Computer=set_Computer
+    | extend timestamp=StartTime, AccountCustomEntity=Account, HostCustomEntity=Computer, IPCustomEntity=IpAddress