Ingress authentication event sources gather information relating to authentication attempts into a network. "Ingress" describes activity that occurs specifically when a user attempts to authenticate with an organization's network or cloud services from outside the network. These event sources are designed to track both successful and unsuccessful authentication attempts.
It is important to note that user login attempts to online portals or admin areas are NOT considered ingress activity. Rather, it is activity coming into a network that is considered ingress.
InsightIDR will attempt to attribute ingress activity to a user and/or asset. This is dependent upon InsightIDR being able to find the user identified in the event in your database.
Logs gathered with ingress authentication event sources will appear in the ingress authentication log set. The log set contains logs that track user authentication attempts to corporate systems and cloud services from the public Internet.
Ingress authentication event sources
The Insight Platform can ingest logs from this ingress authentication event source: