The data is MFA attempts in O365. I have an alert that fires whenever someone denies an MFA push. The thing is, sometimes someone has just accidentally tapped "deny", and they use MFA successfully in the next minute or two. Sample data: _time msg event_name 2021-04-28 16:13:49 Single EVENT_CATEGORY_SSO_LOGIN 2021-04-28 16:13:46 Multi-factor EVENT_CATEGORY_FACTOR_AUTH_SUCCESS 2021-04-28 16:13:43 send_factor_verify_push EVENT_CATEGORY_UNSPECIFIED 2021-04-28 16:13:38 user.mfa.okta_verify.deny_push EVENT_CATEGORY_UNSPECIFIED 2021-04-28 16:13:28 send_factor_verify_push EVENT_CATEGORY_UNSPECIFIED 2021-04-28 16:13:26 Log EVENT_CATEGORY_LOGIN 2021-04-28 16:13:26 policy.evaluate_sign_on EVENT_CATEGORY_UNSPECIFIED 2021-04-28 16:13:26 message_sent.new_device_notification EVENT_CATEGORY_UNSPECIFIED What I want is to filter on messages that contain "deny_push", but that are not followed up with a successful authentication within 5 minutes after the deny_push event. How on earth do I do that?
... View more