[Rule Tuning] Potential password spraying of microsoft 365 user accounts (#1164)

* Update impact_iam_deactivate_mfa_device.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

rules/microsoft-365/credential_access_microsoft_365_potential_password_spraying_attack.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/01"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/05/24"
 
 [rule]
 author = ["Elastic"]
@@ -31,10 +31,10 @@ tags = ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps",
 type = "threshold"
 
 query = '''
-event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:authentication and event.action:UserLoginFailed and event.outcome:failure
+event.dataset:o365.audit and event.provider:(Exchange or AzureActiveDirectory) and event.category:authentication and 
+event.action:("UserLoginFailed" or "PasswordLogonInitialAuthUsingPassword") and event.outcome:failure
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
@@ -51,4 +51,3 @@ reference = "https://attack.mitre.org/tactics/TA0006/"
 [rule.threshold]
 field = ["source.ip"]
 value = 25
-