Hey this logic has few issues - (of course this is just my opinion)

I made a test using kerbrute 
below you can see results using SPL from documentation 

enumeration took a while and we see events for 1h 

1st
I removed values(TargetUserName) as tried_accounts from stats commands becouse keep all of it doesn't make sense (64k in 2min)
I recommend use and here defined how many examples we want to see 
| eval tried_accounts =mvindex(tried_accounts , 0, 9)  

2nd 
isOutlier - wouldn't trigger when we will run scan and test massive number of users and generally environment are pretty quiet like on upper screens 

the reason is in this logic 
| eval upperBound=(comp_avg+comp_std*3)

scanner generally us similar number tests per minute  (in my case it was 35k average and standard deviation was equal 3,3k) 

based on that we scan average 70k per 2min and standard deviation I've got almost 10k 
in results to get  Outlier I should see 100k+ account within 2min but scanner never crossed 80k 

It depends on the time range you're running it over. (and yes, it's not a fastest search).

It relies on the fact that you'd have a high relatively short-lived spike. Assuming normal distribution (which is a typical assumption for real-life data) 3-sigma range should contain 99,7% of normally distributed data. Hence if you have a short spike, it should not affect your std dev too much so the scan should stand out. But if you search over a time range of which anomalous scan numbers are a significant part it will significantly affect the std dev so your bounds might get way too broad.

So it does make sense but might need tweaking. If you don't mind dealing with FPs you might want to lower the bound limits - switch to 2-sigma.