Detection rule: Failed login attempts

Hi, I've created my own detection rule for employees failed login attempts. It does work but when signal comes to Security -> Detection dashboard, it do not show user.name or host.name.
This is screen shot of my rule:


Is there a way to update my rule that it would show user.name or host.name?
This is a screen shot of fired signal:

Regards
Ema

only if you use user.name or host.name in the group by and that is dependant on what you want to do

Usually group by host.name or source.ip (depending on the logs) so that you are looking from multiple failed logins from a device. If you look for multiple failed logins full stop you might lots of failed logins come monday morning at 9am for example. This is more for scatter of user names.

If you group by user.name then your looking more for brute force attempts.

Thank you @probson. I adjusted the detection rule according to your advice and I'll wait for the results.