I'm trying to create a correlation rule that looks for login failures on a Juniper SSL VPN followed by a successful login to Active Directory.
My rule is multi-threading based on the username variable and has 2 circuits: one for failed logins on Juniper SSL VPN which is followed by one for successful logins in AD.
The problem I've got is that the username variable is seen by Juniper as 'DOMAIN\username' whereas in AD it's 'username'. I thought I could set a cache variable in the Juniper statement and then use a LIKE filter in the AD statement but Envision doesn't allow this.
I must be missing something obvious so any advice is appreciated