When asked to search in the SIEM for any successful/failed authentication attempts, what do users leverage in terms of searching criteria?
There is event.category tag but not all parsers use that logic, nor do I believe CEF (common event format) based events even support categorization.
The Usernames are also not consistently parsing out amongst the parsers (user.dst,user.src,username), which means that when we are tasked with creating a failed login report, we have to create 3 separate reports using (username,user.dst,user.src) just to be sure that those tags are covered.
You would think we could globally search on a category such as this?
I currently have to go through each event source and identify how users are parsed out, which is not sustainable, as the SIEM should be able to consistently normalize this type of data.