When asked to search in the SIEM for any successful/failed authentication attempts, what do users leverage in terms of searching criteria?
There is event.category tag but not all parsers use that logic, nor do I believe CEF (common event format) based events even support categorization.
The Usernames are also not consistently parsing out amongst the parsers (user.dst,user.src,username), which means that when we are tasked with creating a failed login report, we have to create 3 separate reports using (username,user.dst,user.src) just to be sure that those tags are covered.
You would think we could globally search on a category such as this?
I currently have to go through each event source and identify how users are parsed out, which is not sustainable, as the SIEM should be able to consistently normalize this type of data.
You should be able to get the event from ec.theme = authentication and then getting the failure from ec.outcome. Is that not the case? As for username, that should be mostly user.dst. Do you have examples of parsers putting content in "username" or "user.src"? Those are rarely used. It could be simplified by building a lua parser to move those values to a single meta key, but I'd have to look into that more.