a week ago
Is it possible in any way to count failed authentications for a device and after a specified number of events within a given timeframe apply different roles and Enforcement profiles?
Jonas Hammarbäck | Aranya AB
Network Architect, ACMA, ACMP, ACCP
Solved! Go to Solution.
Re: Apply different Enforcement profile after several failed authentications?
a week ago
Hello, you could use Insight for doing this, enable insight on that server, and add insight as a Authorization source, create a custom sql source to look for failed authentications for the last 1 hour, for so and so count, to map a different enforcement profile for that device or user.
you could do something like this, in the below query, i am looking for a user name, which failed authentications for 5 times in last one hour, you could adjust the query accordingly for your convenience:
select auth_username as username from auth where auth_status = 'Failed' AND timestamp > now() - interval '1 hour' GROUP BY auth_username HAVING COUNT(*) > 5;