The data is MFA attempts in O365. I have an alert that fires whenever someone denies an MFA push. The thing is, sometimes someone has just accidentally tapped "deny", and they use MFA successfully in the next minute or two.
Sample data:
| _time | msg | event_name |
| 2021-04-28 16:13:49 | Single | EVENT_CATEGORY_SSO_LOGIN |
| 2021-04-28 16:13:46 | Multi-factor | EVENT_CATEGORY_FACTOR_AUTH_SUCCESS |
| 2021-04-28 16:13:43 | send_factor_verify_push | EVENT_CATEGORY_UNSPECIFIED |
| 2021-04-28 16:13:38 | user.mfa.okta_verify.deny_push | EVENT_CATEGORY_UNSPECIFIED |
| 2021-04-28 16:13:28 | send_factor_verify_push | EVENT_CATEGORY_UNSPECIFIED |
| 2021-04-28 16:13:26 | Log | EVENT_CATEGORY_LOGIN |
| 2021-04-28 16:13:26 | policy.evaluate_sign_on | EVENT_CATEGORY_UNSPECIFIED |
| 2021-04-28 16:13:26 | message_sent.new_device_notification | EVENT_CATEGORY_UNSPECIFIED |
What I want is to filter on messages that contain "deny_push", but that are not followed up with a successful authentication within 5 minutes after the deny_push event.
How on earth do I do that?
