We are seeing hundreds of failed logins for users from the ToolAlias: Cisco ACS and AuthPackage: MSCHAPV2.
Is there a way we can configure LEM to reduce these logs? I've contacted the users and they always tell me the same thing. "The only thing different about my account is that I've reset my password recently" I feel like something is out of sync with these Logs.
How can we configure LEM to cut down on some of the noise we are getting with these logs?
My reasoning behind this is that I highly doubt these users are entering the wrong password hundreds of times a day. I mean it could be a brute force attack, but the logs don't tell you what IP they are trying to autheticate from. It only shows a Detection IP. These are very difficult to rule out false positives.
Any help would be much appreciated.
I've attached a picture so you can see what Log it is.