authelia: set target_user meta and align bf user-enum distinct key

.tests/authelia-bf/scenario.assert

@@ -12,6 +12,7 @@ results[0].Overflow.Alert.Events[0].GetMeta("service") == "authelia"
 results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "5.5.5.6"
 results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-02-16T12:31:49+02:00"
 results[0].Overflow.Alert.Events[0].GetMeta("user") == "fakeuser1@example.com"
+results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "fakeuser1@example.com"
 basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "authelia-bf.log"
 results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file"
 results[0].Overflow.Alert.Events[1].GetMeta("log_format") == "JSON"
@@ -1566,4 +1567,4 @@ results[27].Overflow.Alert.Events[5].GetMeta("timestamp") == "2022-02-14T13:47:5
 results[27].Overflow.Alert.Events[5].GetMeta("user") == "fakeuser6"
 results[27].Overflow.Alert.GetScenario() == "LePresidente/authelia-bf"
 results[27].Overflow.Alert.Remediation == true
-results[27].Overflow.Alert.GetEventsCount() == 6
+results[27].Overflow.Alert.GetEventsCount() == 6

.tests/authelia-logs/parser.assert

@@ -223,6 +223,7 @@ results["s01-parse"]["LePresidente/authelia-logs"][0].Evt.Meta["log_type"] == "a
 results["s01-parse"]["LePresidente/authelia-logs"][0].Evt.Meta["service"] == "authelia"
 results["s01-parse"]["LePresidente/authelia-logs"][0].Evt.Meta["source_ip"] == "1.1.1.1"
 results["s01-parse"]["LePresidente/authelia-logs"][0].Evt.Meta["user"] == "fakeuser"
+results["s01-parse"]["LePresidente/authelia-logs"][0].Evt.Meta["target_user"] == "fakeuser"
 results["s01-parse"]["LePresidente/authelia-logs"][0].Evt.Unmarshaled["authelia"]["method"] == "POST"
 results["s01-parse"]["LePresidente/authelia-logs"][0].Evt.Unmarshaled["authelia"]["msg"] == "Error occurred getting details for user with username input 'fakeuser' which usually indicates they do not exist"
 results["s01-parse"]["LePresidente/authelia-logs"][0].Evt.Unmarshaled["authelia"]["path"] == "/api/firstfactor"
@@ -809,6 +810,7 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] =
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "1.1.1.1"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2025-03-13T14:01:02+02:00"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["user"] == "fakeuser"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["target_user"] == "fakeuser"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2025-03-13T14:01:02+02:00"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["authelia"]["path"] == "/api/firstfactor"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["authelia"]["remote_ip"] == "1.1.1.1"
@@ -1441,4 +1443,4 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Unmarshaled["aut
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Unmarshaled["authelia"]["path"] == "/api/secondfactor/duo"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Unmarshaled["authelia"]["remote_ip"] == "1.1.1.1"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Whitelisted == false
-len(results["success"][""]) == 0
+len(results["success"][""]) == 0

parsers/s01-parse/LePresidente/authelia-logs.yaml

@@ -39,6 +39,8 @@ nodes:
 statics:
     - meta: user
       expression: evt.Parsed.user
+    - meta: target_user
+      expression: evt.Parsed.user
     - target: evt.StrTime
       expression: evt.Unmarshaled.authelia.time
     - meta: source_ip

scenarios/LePresidente/authelia-bf.yaml

@@ -24,7 +24,7 @@ name: LePresidente/authelia-bf_user-enum
 description: "Detect authelia user enum bruteforce"
 filter: "evt.Meta.service == 'authelia' && evt.Meta.log_type == 'auth_failed'"
 groupby: evt.Meta.source_ip
-distinct: evt.Meta.user
+distinct: evt.Meta.target_user
 leakspeed: 10s
 capacity: 5
 blackhole: 1m