Im not sure how to go about this. We currently have the Excessive Failed Logins Correlation Search enabled on our Splunk ES instance. Id like to filter out the accounts with failed authentications that had their passwords recently expire. I tried using map and join to query okta or wineventlog but couldn't figure it out.
Below is the default correlation search query. Any ideas?
| from datamodel:"Authentication"."Failed_Authentication" | stats values(tag) as "tag",dc(user) as "user_count",dc(dest) as "dest_count",count by "app","src","user","host" | where 'count'>=50