Rich is asking what do you mean by abuse?
Count of failures? Count of success? By source? Over a given time range? From a given source to a number of destinations in a given time window?
You always need to start with defining the criteria of what you mean when using terms like abuse, unusual, unexpected etc when creating detections. That drives what you do in SPL.
Thanks for your response.
abuse means unusual authentications, interactive activity, suspicious processes. I would like to build detections for any of these terms. could you please suggest me how can I proceed further with this?