Intrusions Alerts can be configured such that when a specific number of attempts to log in to a user account have failed (within a specified amount of time), then notifications can be sent informing of the suspicious login activity.
If the alert "Intrusion Alert" is enabled, then the alert will be triggered if the conditions details in the alert parameter "Conditions" are met, and are normally triggered when a user locking event occurs during the authentication process.
Once the alert is triggered, notification of the detected event may be sent to specified users and groups.
The alert can be found by navigating to "Administration | Alerts", then scrolling down to the alert "Intrusion Alert";
The alert can be edited by left clicking on the context menu of the alert and selecting "Edit";
A new window will now open titled "Alert - Edit";
|
The alert is disabled by default, but can be enabled by ticking the checkbox "Enabled";
When the alert is triggered you have the option to send a message to specified recipients using the "Recipient Users" and "Recipient Groups" parameters.
The Intrusion Alert" alert is triggered whenever an intrusion is detected, but you might not always want notifications to be sent to your specified users every time this event occurs.
The "Conditions" parameter is to provide a mechanism by which additional restrictions can be checked prior to send the alert notification.
To edit the conditions that determine when the alert is trigged click on the pencil icon () causing a window titled "Condition Builder" to open;
Provided the alert is enabled, the send message is selected, and one or both delivery channels have been enabled, then when a alert is triggered, message notifications will be sent to the selected users (or groups of users)
The default message sent for this alert is as follows;
Hi, administrator, It is possible that the user account below is being subject to DDoS attack. Domain Name: [[domainName]] Regards, |
After the alert is triggered you have the additional option to cause one of the existing tasks to be run.
To add task execution to the alert you need to first tick the checkbox prompted "Execute Task", then select what task (or tasks) are to be executed using theicon;
At the prompts "Time Window:" and "Failure Count:" you will supply parameters that determine how many instances of the required conditions must occur with the specified number of seconds before an alert notification will be sent;
In the example above if 5 logon failures occur within 1000 seconds (just over 1/4 hour) then an alert will be sent to the administrator.
The message that is sent to the administrator is determined by the text supplied against the prompt "Message:" (see received example message below);