I want to be able to detect when a given IP/UserID fails to authenticate N times within a given time period, T. We currently use a Splunk alert for this with a vendor other that Forgerock but we are deprecating that vendor in favor of Forgerock so I need comparable functionality. This doesn’t have anything to do with account locking, it is more of an early warning that someone may be trying to hack their way into our application.
The Forgerock logs as currently configured, I am unable to find the information needed in a single place. As an FYI, we authenticate via the OpenAM REST endpoint, not the OpenAM login page. Any guidance or help is much appreciated regarding any intrinsic Forgerock functionality to fire such an alert or the possibility of configuring the OpenAM logs so that they could drive a Splunk query.
We are the business behind business
NOTICE: This e-mail and any attachments is intended only for use by the addressee(s) named herein and may contain legally privileged, proprietary or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this email, and any attachments thereto, is strictly prohibited. If you receive this email in error please immediately notify me via reply email or at (800) 927-9800 and permanently delete the original copy and any copy of any e-mail, and any printout.