Security

Reply
Highlighted
Frequent Contributor I

Apply different Enforcement profile after several failed authentications?

Hi

 

Is it possible in any way to count failed authentications for a device and after a specified number of events within a given timeframe apply different roles and Enforcement profiles?

 



Best Regards
Jonas Hammarbäck | Aranya AB
Network Architect, ACMA, ACMP, ACCP

Accepted Solutions

Re: Apply different Enforcement profile after several failed authentications?

Hello Jonas,

 

you could do something like this, in the below query, i am looking for a user name, which failed authentications for 5 times in last one hour, you could adjust the query accordingly for your convenience:

 

select auth_username as username from auth where auth_status = 'Failed' AND timestamp > now() - interval '1 hour' GROUP BY auth_username HAVING COUNT(*) > 5;

 

--

 

-If you got what you need with my answer please give kudos and mark it as solution.

View solution in original post


All Replies
Highlighted

Re: Apply different Enforcement profile after several failed authentications?

Hello, you could use Insight for doing this, enable insight on that server, and add insight as a Authorization source, create a custom sql source to look for failed authentications for the last 1 hour, for so and so count, to map a different enforcement profile for that device or user.

 

 

--

 

-If you got what you need with my answer please give kudos and mark it as solution.
Highlighted
Frequent Contributor I

Re: Apply different Enforcement profile after several failed authentications?

Thank you for the information.

Do you have an example of the syntax of the query?

 

 



Best Regards
Jonas Hammarbäck | Aranya AB
Network Architect, ACMA, ACMP, ACCP

Re: Apply different Enforcement profile after several failed authentications?

Hello Jonas,

 

you could do something like this, in the below query, i am looking for a user name, which failed authentications for 5 times in last one hour, you could adjust the query accordingly for your convenience:

 

select auth_username as username from auth where auth_status = 'Failed' AND timestamp > now() - interval '1 hour' GROUP BY auth_username HAVING COUNT(*) > 5;

 

--

 

-If you got what you need with my answer please give kudos and mark it as solution.

View solution in original post

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: