Hi,
MS ADFS will write inside WinEventLog:security and Splunk_TA_windows is watching that log and enriching with lookup.
Issue here is that AD FS have same ID's like some other.
Example: EventCode=516 should be "The following user account has been locked out due to too many bad password attempts. Additional Data Activity ID: %1 User: %2 Client IP: %3 nBad Password Count: %4 nLast Bad Password Attempt: %5" while Splunk_TA_windows will enrich it to: Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits
how can I override default Splunk_TA_windows lookup if Provider Name='AD FS Auditing' is AD FS Auditing, so then I can enrich with ADFS table else use default lookup.