Follow

How To: Create Notification for WebAdmin Failed Login Attempts

Info:

This article describes how to create a notification template and notification rule to inform end users and system administrators when a failed login attempt occurs

Applies To:

This article applies to all versions of Director.  However, all variables/macros used in the example may not function properly unless on Venafi TrustAuthority / Venafi TrustForce v14.1 or higher.

Instructions:

  1. In order to create the HTML version of the notification, you will need to Remote Desktop into the Director Server and Launch the Venafi Windows Administration Console from the Start Menu.

  2. Download the support file for this KB and extract the contents to the desktop of the Director Server.

  3. Open the Venafi Windows Administration Console, if you haven't already, and login as a user that has Create/Write access to the Logging tree.  This is typically a Master Administrator account.

  4. Select the "Logging Tree" from the tree selector.
    2014-02-08_16-21-51.png

  5. Right click on "Channels" and choose Add => Channels => SMTP
    2014-02-08_16-25-09.png

  6. Name the new Channel anything that suites your naming structure.  Here we will call ours "Failed Login".  Click "Create"
    2014-02-08_16-28-24.png


  7. Click on our new SMTP Channel object called "Failed Login" from the Tree view on the left.
    2014-02-08_16-30-01.png

  8. Under the SMTP Channel Settings, Host, Credentials, Sender, and TLS are usually completed automatically via policy.  If not, look at another SMTP Channel for what these values should be.

    Host: this is the FQDN or IP address of your email server
    Credentials: These are the credentials for Director to authenticate to your email server. (May not be required, some enterprises use anonymous whitelisting by IP address.  See your Email Administration Team for details).
    Sender: This is the email address that will appear in the "From:" line of emails generated by this email template.  Some email servers require the Sender Email be the one that is tied to the credentials used to authenticate to the email server.  See Email Administration Team for details.
    TLS: This tells Director whether to use SSL/TLS to authenticate/communicate with the email server.

  9. Use the table below to complete the remaining fields on the SMTP Channel Settings

    Recipient(s): $IdentityEmail[$Event.Text1$]$
    CC:  $AdminEMail$

    (Note: this Macro will return the email address of the local account named "Admin".  If this account does not exist, please enter a comma separated list of email addresses of Venafi Director administrators)
    Subject:   SECURITY ALERT: Failed Login Attempt for account $Event.Text1$
    Log Delivery:  Checked

    (Note: This is recommended to be checked. This will place an event in the logs for every successful and failed delivery this email template attempts)
  10. Click on the "Plaintext Message" tab and paste the following text into the Plaintext Message textbox.

    Note: This plaintext message is also available in the supporting zip file you downloaded in Step 2.

    SECURITY ALERT: Failed Login Attempt to your account: $Event.Text1$

    A failed login attempt has occurred on $DOW$, $MonthName$ $Day$, $Year$ at $Time$. Someone from the IP address $Event.Data$ used the username $Event.Text1$ to attempt to login to server $CN[$Event.Component$]$.

    If you did not attempt to access your account, please contact your Information Technology Security Team immediately.

    Account Email Address: $IdentityEmail[$Event.Text1$]$
    Account Username: $Event.Text1$
    Account Name: $Identity[$Event.Text1$, "Given Name"]$ $Identity[$Event.Text1$, "Surname"]$
    Server Date & Time: $DOW$, $MonthName$ $Day$, $Year$ $Time$
    Web Server: $CN[$Event.Component$]$
    From IP Address: $Event.Data$

    This email is being sent to you by Venafi Encryption Director because your email address is associated with the username used for the failed login. Your system administrator has enabled this security alert.

    Event ID: $Event.ID$

    2014-02-08_16-48-16.png

  11. Click on the "HTML Message" tab and click on the "Show Markup" button.
    2014-02-08_17-08-39.png

  12. Replace the existing HTML code with the code below:

    Note: This HTML code is also available in the supporting zip file you downloaded in Step 2.

    <BODY scroll=auto>
    <TABLE border=0 cellSpacing=0 width="100%">
    <TBODY>
    <TR>
    <TD><!-- table layer 1 -->

    <TABLE align=center>
    <TBODY>
    <TR>
    <TD style="PADDING-BOTTOM: 0px; BACKGROUND-COLOR: #ededed; PADDING-LEFT: 15px; PADDING-RIGHT: 15px; PADDING-TOP: 30px"><!-- table layer 2 -->

    <TABLE style="FONT-FAMILY: Helvetica,Arial,sans-serif; COLOR: #000000; FONT-SIZE: 16px" border=0 cellSpacing=0 cellPadding=0 width=650>
    <TBODY>
    <TR>
    <TD style="PADDING-BOTTOM: 22px; BACKGROUND-COLOR: #C00; PADDING-LEFT: 40px; PADDING-RIGHT: 40px; COLOR: white; FONT-SIZE: 18px; FONT-WEIGHT: bold; PADDING-TOP: 25px;">SECURITY ALERT: Failed Login Attempt to your account: $Event.Text1$</TD>
    </TR>
    <TR>
    <TD style="PADDING-BOTTOM: 50px; BACKGROUND-COLOR: #fff; PADDING-LEFT: 40px; PADDING-RIGHT: 40px; FONT-SIZE: 18px; PADDING-TOP: 30px" bgColor=#fff><P>A failed login attempt has occurred on $DOW$, $MonthName$ $Day$, $Year$ at $Time$. Someone from the IP address $Event.Data$ used the username $Event.Text1$ to attempt to login to server $CN[$Event.Component$]$.</P>
    <P>If you did not attempt to access your account, please contact your Information Technology Security Team <u>immediately</u>.</P>
    <table border="0" cellspacing="0" cellpadding="7">
    <tr>
    <td><strong>Account Email Address:</strong></td>
    <td>$IdentityEmail[$Event.Text1$]$</td>
    </tr>
    <tr>
    <td><strong>Account Username:</strong></td>
    <td>$Event.Text1$</td>
    </tr>
    <tr>
    <td><strong>Account Name:</strong></td>
    <td>$Identity[$Event.Text1$, &quot;Given Name&quot;]$ $Identity[$Event.Text1$, &quot;Surname&quot;]$</td>
    </tr>
    <tr>
    <td><strong>Server Date &amp; Time:</strong></td>
    <td>$DOW$, $MonthName$ $Day$, $Year$ $Time$</td>
    </tr>
    <tr>
    <td><strong>Web Server:</strong></td>
    <td>$CN[$Event.Component$]$</td>
    </tr>
    <tr>
    <td><strong>From IP Address:</strong></td>
    <td>$Event.Data$</td>
    </tr>
    </table></TD>
    <TR>
    <TD style="PADDING-BOTTOM: 40px; PADDING-LEFT: 40px; PADDING-RIGHT: 40px; COLOR: #999; FONT-SIZE: 11px; PADDING-TOP: 25px" bgColor=#ededed><p>This email is being sent to you by Venafi Encryption Director because your email address is associated with the username used for the failed login. Your system administrator has enabled this security alert.</p>
    <p>Event ID: $Event.ID$</p></TD>
    </TR>
    </TBODY>
    </TABLE>
    <!-- /table layer 2 --></TD>
    </TR>
    </TBODY>
    </TABLE>
    <!-- /table layer 1 --></TD>
    </TR>
    </TBODY>
    </TABLE>
    </BODY>

    2014-02-08_17-11-24.png

  13. Click on the "Apply" button to save all of your changes
    2014-02-08_17-13-51.png

  14. Your notification template is now done.  Now is time to create the Notification Rule to trigger it.

  15. Right click on "Notification Rules" and choose Add => Rules => Notification
    2014-02-08_17-23-46.png

  16. Name the new Notification Rule anything that suites your naming structure.  Here we will call ours "Failed Login".  Click "Create"

    2014-04-22_16-21-04.png

  17. Click on our new Notification Rule object called "Failed Login" from the Tree view on the left.
    2014-02-08_17-29-05.png


  18. Use the Table below to complete the Rules section of the notification rule:

    If Event ID matches Admin UI - Login Failure
    vedadmin_rule.png


  19. Under Target Channels click the "Add" button and select the SMTP Channel we created in Step 6.

    2014-02-08_17-37-46.png

  20. Click the "Apply" button to save the changes that have been made to the Notification Rule.


The notification template and rule are now configured.  You can test it by attempting to login with a valid username, but wrong password.

Sample Notification

2014-02-08_15-57-49.png

Note: If an invalid username is used in a failed login, then only the System Administrators on the CC: line of the template will receive an email.

Was this article helpful?
1 out of 1 found this helpful

Comments