I want to be able to automate some of our security teams morning audit point and receive more real time results. We review each morning the System log auth-fail and auth-success events by querying multiple PA FW's and then importing into a DB where we analyze them for number of failed attempts on ALLOWED Active Directory account names. We also look for a number of failed attempts and then a success from the same IP address. Thus indicating a very real break in especially if the IP is known to have tried several other usernames.
My question is there a way to combine Active Directory group members and the auth-fail and auth-success events together from the Palo Alto App or is this going to have to be a custom application we would need to write?