Custom Alert Query Question

Hi All, I’m struggling with an issue that is becoming noisy. I have a situation where I am ingesting logs from my identity provider infrastructure (specifically Ping Federate). I have configured an alert to notify me when Ping Identity issues a response back indicating that a user failed authentication because of a bad username. Specifically I look for this string, ‘authn.srvr.msg.user.not.found’ and generate an alert to review the login attempt.

The idea is to determine if we are seeing any type of trends of failed logins that may be malicious. Obviously there will be an occasional employee mistype their username, but most times, we are able to see events where a threat actor is attempting username enumerations / bruteforce attacks.

The problem I’m having is that the context I need (originating IP, username, etc) is contained in a log line about 10 lines above (radius transaction details). This results in having to do manual log searches to get the context and takes time that could be spent on more beneficial activities.

How can I generate the alert and have it include the line I’m searching for plus the 10 lines preceding it for context in the Evidence?

Unfortunately there’s no built in way to do this within IDR. You would need something like InsightConnect to automate that search context for you.

InsightIDR can only respond on one log line at a time. The way to get around this would be to have the provider that’s sending the logs find a way to reformat or concatenate the logs into a single log line if they’re all referring to the same transaction assumably using the same UID or something to reference them all together.

1 Like

Thanks. This was my fear, but maybe the precipice to explore Connect as I have other automation that I’d like to do with the details (i.e. blacklist the IP of bruteforce attacks, submit an abuse complaint, etc)