Hi All, I’m struggling with an issue that is becoming noisy. I have a situation where I am ingesting logs from my identity provider infrastructure (specifically Ping Federate). I have configured an alert to notify me when Ping Identity issues a response back indicating that a user failed authentication because of a bad username. Specifically I look for this string, ‘authn.srvr.msg.user.not.found’ and generate an alert to review the login attempt.
The idea is to determine if we are seeing any type of trends of failed logins that may be malicious. Obviously there will be an occasional employee mistype their username, but most times, we are able to see events where a threat actor is attempting username enumerations / bruteforce attacks.
The problem I’m having is that the context I need (originating IP, username, etc) is contained in a log line about 10 lines above (radius transaction details). This results in having to do manual log searches to get the context and takes time that could be spent on more beneficial activities.
How can I generate the alert and have it include the line I’m searching for plus the 10 lines preceding it for context in the Evidence?