Generating "Failed Authentications" Alerts

One of the powerful options available within the Hypersocket Trigger system is the ability to generate an Alert based on an Event and a set of conditions and thresholds.

For example, let's say you want to place a limit on the number of failed authentications and suspend a user account if it reaches this threshold and also be notified when this happens. 

Step 1. Create Trigger

First of all goto the Triggers menu under Business Rules and Create your Trigger.

The Create Trigger dialog will be shown. Give it a name, for example "Too Many Authentications", select the Authentication Event.

This will then generate some new fields in the dialog. Set the Triggers On option to Failure and finally in the Triggers Task field select the Generate Alert task

Step 2. Configure the Task

By selecting the task a new panel will be shown below the task selection field. This allows you to configure the Task specific properties.

In our case for this alert we do not need to enter any Conditions. Let's move onto the Thresholds

Here we have set the Alert Threshold to 10, this means the Alert will fire after 10 failed attempts. We have set the Threshold Timeout to 10 minutes so that the Alert will only fire if 10 failed attempts are received within a 10 minute window.

We have left the Reset Delay option as its default of 60 seconds. This setting simply ensures that the Alert is not generated again until after this time period, ensuring if a large number of events trigger the task that only one alert is generated.

Now switch to the Key tab. Here we want to set the Alert Key to Current User. This setting ensures that each failed authentication is recorded against the current users name. We could optionally also add the IP Address too. This would only generate alert if the failed logins came from the same IP address.

Finally, switch to the Warning tab. Here we add some Warning Text that will be added to the Alert event. This will be useful if you are using the Auditing extension and will appear in the Auditing table.

Now click Create to complete your Trigger. 

Your Alert is now complete. If you click on the trigger row you will now see a flow diagram for this trigger, this will allow you to chain further tasks to the trigger in the next steps.

We can try this out now by logging out and then attempting to authenticate as a genuine user but with a bad password, try this 10 times in quick succession. Then log back in as admin.

If you're running the Audit Log extension you can see that a Warning event has been captured with our custom Too Many Authentications event and custom text.

Step 3. Suspending the User account

Now that we have a custom event we can add a new Trigger to capture the event and perform more Tasks.

Goto Triggers and Create a new Trigger. Give the Trigger a name such as "Suspend User Temporarily" and select the Too Many Authentications event and the Warning status.

Now select the Suspend User Task. Again with this task we do not need to place any conditions so jump straight to the Suspend User tab.

Use the  icon to select the ${principalName} replacement value. This will use the username of the User that generated the Alert. Here we have set the duration to 10 minutes, meaning the user will be suspended and will not be able to login regardless of the success of any further authentication attempts for the duration.

Click on Create to finish this Task. Click on the new row to see the trigger flow.

You can now optionally add a further Task(s) to notify the admin and/or the user account concerned.

To do this click on the icon within the Suspend User Temporarily module in the trigger flow. This produces the new Trigger dialog which you can use to chain a new trigger onto the end of the existing trigger.

Select Send Email Task. In the message you can again use the replacements icon to add the ${suspendUser.name} replacement so the correct username can be reported.

Then on the Delivery tab add your administrative email address, and optionally add the ${currentUser.email} replacement to send the same email to the end user as well as add a hard coded email for the System Administrator.

After creating and returning back to the Triggers table and selecting the row you will see the new Notify Suspension trigger chained to the Suspend User Temporarily trigger. 

NOTE: You can move the modules around to make the diagram more pleasing on the eye. The system will save the positions so the next time you examine the flow the same positions are retained.

The color codes of each module in the trigger indicate the success status that triggers the task.

Summary

So in this article we have shown you how to use the Generate Alert task to create a custom event, and then capture this event in a separate trigger to suspend a user account that has failed too many authentications. Finally we emailed the administrator and the user to inform them off the suspension.

Have more questions? Submit a request

Comments