We are working on making sense of our ADFS 3.0 authentication logs.
We are currently looking into tying the IP address from these 3 "AD FS Auditing" source logs:
1) EventCode 410 has the IP address and Activity_ID.
2) EventCode 500 has the username
3) EventCode 299 has both the Activity_ID and Instance_ID (which we need to use to correlate the 410 and 500 from different hosts)
We are currently looking at a way to tie all 3 together if we know one of the fields such as a few bad IP's trying to authenticate as a compromised user.
Is there anyone else out there trying to make sense of ADFS authentication logs and if so, are there any tools or Splunk Apps that may be of help? We are close on our script but I would have to think there's a better way or Splunk Add-on or App.
Thanks
↧