Splunk Search for finding password spray - useful for "Jacked directly into the matrix"

gistfile1.txt

index=winevents sourcetype=WinEventLog:Security EventCode=4625 NOT(user=*$ OR host="insert Domain Controllers here") Failure_Reason="Unknown user name or bad password."
| bin span=30m _time 
| stats min(_time) as firstTime max(_time) as lastTime count dc(user) as user_count values(user) as user_logon_attempts values(Source_Network_Address) as Source_Network_Addresses by host Logon_Type Failure_Reason 
| fields firstTime lastTime host Logon_Type Failure_Reason user_count user_logon_attempts Source_Network_Addresses
| convert ctime(firstTime), ctime(lastTime)

| where user_count>50

| eval user_logon_attempts=mvjoin(user_logon_attempts, ", ")
| eval user_logon_attempts=substr(user_logon_attempts, 0, 500)
| eval user_logon_attempts=user_logon_attempts."................."

| eval Source_Network_Addresses=mvjoin(Source_Network_Addresses, "| -AND- |")


| eval rule_impact="medium"
| eval rule_confidence="medium"
| eval mitre_id="T1110"
| eval description="Possible Password Spray Attack against host \"".host."\""
| eval useful_fields="Logon_Type=".Logon_Type."|Failure_Reason=\"".Failure_Reason."\"|user_count=".user_count."|user_logon_attempts=\"".user_logon_attempts."\"|Source_Network_Addresses=\"".Source_Network_Addresses."\""