Security

Reply
Frequent Contributor I

Apply different Enforcement profile after several failed authentications?

Hi

 

Is it possible in any way to count failed authentications for a device and after a specified number of events within a given timeframe apply different roles and Enforcement profiles?

 



Best Regards
Jonas Hammarbäck | Aranya AB
Network Architect, ACMA, ACMP, ACCP
Frequent Contributor II

Re: Apply different Enforcement profile after several failed authentications?

Hello, you could use Insight for doing this, enable insight on that server, and add insight as a Authorization source, create a custom sql source to look for failed authentications for the last 1 hour, for so and so count, to map a different enforcement profile for that device or user.

 

 

--

 

-If you got what you need with my answer please give kudos and mark it as solution.
Frequent Contributor I

Re: Apply different Enforcement profile after several failed authentications?

Thank you for the information.

Do you have an example of the syntax of the query?

 

 



Best Regards
Jonas Hammarbäck | Aranya AB
Network Architect, ACMA, ACMP, ACCP
Highlighted
Frequent Contributor II

Re: Apply different Enforcement profile after several failed authentications?

Hello Jonas,

 

you could do something like this, in the below query, i am looking for a user name, which failed authentications for 5 times in last one hour, you could adjust the query accordingly for your convenience:

 

select auth_username as username from auth where auth_status = 'Failed' AND timestamp > now() - interval '1 hour' GROUP BY auth_username HAVING COUNT(*) > 5;

 

--

 

-If you got what you need with my answer please give kudos and mark it as solution.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: