SigninLogs
| where ResultType == "0" // Filter successful sign-ins only
| where AuthenticationMethod contains "ROPC" // Filter sign-ins with ROPC authentication protocol
| summarize by UserId, ClientAppUsed, ResultType, bin(TimeGenerated, 1h) // Aggregate by user, client app, result type, and hour
| extend HourlyCount = count() by UserId, ClientAppUsed, ResultType // Count the number of sign-ins per user, client app, and result type
| summarize AvgCount = avg(HourlyCount) by UserId, ClientAppUsed, ResultType // Calculate the average number of sign-ins per hour per user, client app, and result type
| join kind=inner ( // Inner join with the sign-in logs again to get the latest data for each user, client app, and result type
    SigninLogs
    | where ResultType == "0" // Filter successful sign-ins only
    | where AuthenticationMethod contains "ROPC" // Filter sign-ins with ROPC authentication protocol
    | summarize LatestTimeGenerated = max(TimeGenerated) by UserId, ClientAppUsed, ResultType // Get the latest timestamp for each user, client app, and result type
) on UserId, ClientAppUsed, ResultType
| where HourlyCount > AvgCount * 3 // Filter sign-ins with count greater than 3 times the average count
| where TimeGenerated == LatestTimeGenerated // Filter sign-ins with latest timestamp only