====== Auth Syslogs ======
''( auth_method eq Other )'' can mean local DB users. 

===== Critical =====
<code>( subtype eq auth ) and ( severity eq critical )</code>
<code>( eventid eq auth-server-down ) and ( description contains '3 tries to bind back to binddn failed: basedn: DC=DOMAIN,DC=LOCAL ; binddn: administrator@domain.local ; bind_timelimit 30 ; ip: 10.1.1.10 ; uri: ldap://10.1.1.10:389' )</code>

===== High =====
<code>( subtype eq auth ) and ( severity eq high )</code>
<code>( eventid eq saml-message-parse-error ) and ( object eq profile-name ) and ( description contains 'SAML Assertion: InResponseToID "_oikjuyhgtrfdeeddffgfgfgfgffgff33" != OriginalReqID "_ikjujuyhyhyhyhyhyhyhy77667676666"' )</code>
<code>( eventid eq saml-certificate-error ) and ( object eq profile-name ) and ( description contains 'Failure while validating the signature of SAML message received from the IdP "https://accounts.google.com/o/saml2?idpid=ititititf", because the certificate in the SAML Message doesn\'t match the IDP certificate configured on the IdP Server Profile "profile-name". (SP: "Some Description"), (Client IP: 11.22.33.44), (vsys: vsys1), (authd id: 1234567890987655433), (user: user@domain.com)' )</code>
<code>( eventid eq saml-certificate-warning ) and ( object eq profile-name ) and ( description contains 'Request signing certificate \'portal.domain.com\' in SAML authentication profile \'profile-name\' will expire in 13 days' )</code>

===== Medium =====
<code>( subtype eq auth ) and ( severity eq medium )</code>
<code>( eventid eq auth-fail ) and ( description contains 'failed authentication for user \'admin\'.  Reason: Authentication profile not found for the user. From: 192.168.1.1.' )</code>
<code>( eventid eq auth-fail ) and ( description contains 'admin user thru WebUI with username "admin" is invalid due to special characters. From 192.168.1.1' )</code>
<code>( eventid eq auth-fail ) and ( description contains 'failed authentication for user \'admin\'.  Reason: Invalid username/password. From: 192.168.1.1.' )</code>
<code>( eventid eq auth-fail ) and ( description contains 'failed authentication for user \'admin\'.  (Additional Info : Commit in progress)' )</code>
<code>( eventid eq auth-fail ) and ( description contains 'failed authentication for user \'admin\'.  Reason: User is in locked users list. From: 192.168.1.1..' )</code>
<code>( eventid eq auth-fail ) and ( object eq SP-LDAP-NAME ) and ( description contains 'failed authentication for user \'user@domain.com\'.   auth profile \'SP-LDAP-NAME\', vsys \'vsys1\', server profile \'SP_LDAP_SERVER\', server address \'192.168.1.1\', From: 11.22.33.44.' )</code>
<code>( eventid eq auth-fail ) and ( object eq SP-LDAP-NAME ) and ( description contains 'failed authentication for user \'user@domain.com\'.  Reason: User is not in allowlist. auth profile \'SP-LDAP-NAME\', vsys \'vsys1\', From: 192.168.1.1' )</code>
<code>( eventid eq auth-fail ) and ( description contains 'Certificate validation failed for user \'\'. Reason: Invalid username/password. reply message \'You didn\'t provide a user name\'' )</code>
<code>( eventid eq auth-fail ) and ( object eq auth-profile-ra ) and ( description contains 'failed authentication for user \'admin\'.  Reason: Invalid username/password. auth profile \'auth-profile-ra\', vsys \'shared\', server profile \'sp-radius-server\', server address \'192.168.1.1\', auth protocol \'PAP\', From: 192.168.1.1.' )</code>
<code>( eventid eq auth-fail ) and ( object eq auth-profile-ra ) and ( description contains 'failed authentication for user \'admin\'.  Reason: User is in locked users list. auth profile \'auth-profile-ra\', vsys \'shared\', auth protocol \'unknown RADIUS authentication protocol\', From: 192.168.1.1' )</code>
<code>( eventid eq auth-fail ) and ( description contains 'SAML SSO authentication failed for user \'\'.  Reason: SAML web single-sign-on failed. reply message \'Reason: SAML web single-sign-on failed.\'' )</code>
<code>( eventid eq auth-fail )  and ( object eq saml-profile ) and ( description contains 'SAML SSO authentication failed for user \'\'.  Reason: SAML web single-sign-on failed. auth profile \'samle-profile\', vsys \'vsys1\', server profile \'server-profile\', IdP entityID \'https://accounts.google.com/o/saml2?idpid=yyyy22s99\', reply message \'SAML single-sign-on failed\' From: 11.22.33.44.' )</code>
<code>( description contains 'failed authentication for user \'admin\'.  (Additional Info : Commit in progress) From: 11.22.33.44.' )</code>
 
 
===== Low =====
<code>( subtype eq auth ) and ( severity eq low )</code>
<code>( eventid eq saml-out-of-band-message ) and ( object eq server-profile ) and ( description contains 'Client \'\' received out-of-band SAML message:  <?xml version="1.0" encoding="UTF-8" standalone="no"?><saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://portal.domain.com:443/SAML20/SP/ACS" ID="_5656565656565656556hhghghghghghgh" InResponseTo="_b016f9a607c749490a320f9916a28e66" IssueInstant="2020-05-08T09:54:35.068Z" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://accounts.google.com/o/saml2?idpid=C013kwwcj</saml2:Issuer><ds:Si' )</code>

 
 ===== Informational =====
<code>( subtype eq auth )  and ( severity eq informational )</code>
<code>( eventid eq auth-success ) and ( object eq auth-profile-ra) and ( description contains 'authenticated for user \'admin\'.   auth profile \'auth-profile-ra\', vsys \'shared\', server profile \'sp-radius-radius\', server address \'192.168.1.1\', auth protocol \'PAP\', admin role \'Superuser (read-only)\', From: 192.168.1.1.' )</code>
<code>( eventid eq auth-success ) and ( description contains 'authenticated for user \'admin\'.   From: 192.168.1.1.' )</code>