Add hunting query: short-window IP failure burst followed by successful sign-in

[descambiado]

Change(s):

• Added a new hunting query: Hunting Queries/MultipleDataSources/IPIdentityFailureBurstFollowedBySuccess.yaml.
• The query correlates interactive (SigninLogs) and non-interactive (AADNonInteractiveUserSignInLogs) sign-ins by IP address.
• It identifies short-window patterns where one IP produces a burst of failed sign-ins across multiple identities followed by successful sign-in activity.

Reason for Change(s):

• Helps SOC analysts prioritize high-friction identity events that may indicate password spraying or opportunistic credential misuse.
• Improves triage consistency by providing explicit thresholds, bounded correlation windows, and contextual output sets for investigation.
• Supports alert fatigue reduction by focusing on patterns with meaningful entity relationships instead of isolated single events.

Validation:

• Reviewed YAML structure and required metadata fields (id, name, connectors, tactics, techniques, query, entities, version, metadata).
• Confirmed contribution scope is one new hunting query file only.
• Confirmed no detections, analytic rules, parsers, playbooks, workbooks, or existing files were modified.

Boundaries:

• This is a hypothesis-driven hunting query, not a deterministic detection.
• The query does not prove compromise by itself and does not assert adversary-in-the-middle behavior.
• Benign matches are expected in shared egress environments (NAT, VPN/proxy, enterprise gateways) and should be validated by analysts.

Risk notes:

• Potential benign scenarios include enterprise proxy egress shifts, legitimate automation/service activity, and background sign-in behavior.
• Thresholds are intentionally explicit and can be tuned per tenant risk profile and baseline behavior.

[v-shukore]

Hi @descambiado, please add your all files into single PR from now onwards don't raise PR for each query. Thanks!

[descambiado]

Thank you for the feedback, @v-shukore. Understood — all future contributions will be bundled into a single PR rather than one per query. I will apply this going forward.