Take a Product Tour
Explore the user interface, features, and capabilities of Logmanager
Quick Start Guide
Deploy Logmanager in your virtual environment
Join our Team
Explore open job opportunities and become part of a team building meaningful technology.
This contextual alert provides notifications about the attacker’s IP address and geolocation when a possible brute force attack is detected.
A contextual alert template is available for download below.
A firewall brute force attack is a systematic attempt to gain unauthorized access to a network by repeatedly and automatically trying a large number of login credentials until the correct combination is found (for example, for VPN or SSH access).
The usefulness of sending an alert with the geolocation of the attack source, for example, after 10 failed attempts from a single source IP address, lies in the rapid detection of incidents and threat identification.
Knowing the geographic origin of the attack (e.g., outside predefined trusted countries) allows the security team to immediately assess the risk and, if necessary, automatically block either the specific IP address or the entire geographic region. This minimizes the attacker’s opportunity window and improves the overall incident response capability.
After a defined number of invalid login attempts on the firewall from a single IP address, the alert sends a notification containing the source IP address of the potential attack and the country from which the attack originates.
In the Alerts & Actions menu, under the Correlations tab, create a new correlation window with the desired duration (for example, 60s). Name the window something like Firewall.
Firewall
Save the window by clicking the Save button.
In the Email message templates section, create a new template and insert the following details:
Name:
too many login failed from one IP
Subject:
LM Alert – {{name}} / {{ msg.failed_remote_ip }}Body:
{% extends "base.html" %} {% block title %}Alert{% endblock %} {% block content %} <h4>VPN alert - neplatné přihlášení z jedné IP adresy. Uživatel <font color="red"><b>{{ msg.username }}</b></font> překročil limit.</h4> <p>Reason: <b>{{ msg.logdesc }}</b></p> <p>Reason: <b>{{ msg.msg }}</b></p> <p>Reason: <b>{{ msg.reason }}</b></p> <p>Remote IP & Country: <b>{{ msg.failed_remote_ip }}</b></p> <h3>Uživatel: <font color="red"><b>{{ msg.username }}</b></font></h3> <hr> <h1>Alert message</h1> Alert name: {{ name }}<br> Alert description: {{ description }}<br> <h2>Message meta information</h2> <table style="border: 1px solid rgb(0, 102, 153); border-collapse: collapse;"> <tr> <td style="border: 1px solid rgb(0, 102, 153);font-weight: bold;">Name</td> <td style="border: 1px solid rgb(0, 102, 153);font-weight: bold;">Value</td> </tr> {% for key in meta|sort %} {% if key == "src" %} {% for src in meta.src|sort %} <tr> <td style="border: 1px solid rgb(0, 102, 153);" align="left">{{ key }}.{{ src }}</td> <td style="border: 1px solid rgb(0, 102, 153);" align="left">{{ meta.src[src] }}</td> </tr> {% endfor %} {% else %} <tr> <td style="border: 1px solid rgb(0, 102, 153);" align="left">{{ key|e }}</td> <td style="border: 1px solid rgb(0, 102, 153);" align="left">{{ meta[key]|e }}</td> </tr> {% endif %} {% endfor %} </table> <h2>Message data</h2> <table style="border: 1px solid rgb(0, 102, 153); border-collapse: collapse;"> <tr> <td style="border: 1px solid rgb(0, 102, 153);font-weight: bold;">Name</td> <td style="border: 1px solid rgb(0, 102, 153);font-weight: bold;">Value</td> </tr> {% for key in msg|sort %} <tr> <td style="border: 1px solid rgb(0, 102, 153);" align="left">{{ key|e }}</td> <td style="border: 1px solid rgb(0, 102, 153);" align="left">{{ msg[key]|e }}</td> </tr> {% endfor %} </table> {% if dropped > 0 %} <div style="color: #E81E1E">Dropped similar messages: {{ dropped }}</div> {% endif %} {% endblock %}
Save the template by clicking Save.
Under the Rules tab, create a new alert and paste the alert code into the XML window.
Then switch to the Blocks window.
Assign the alert a name, for example:too many login failed from one IP
Enter the recipient email address for the alert and switch the alert status to Enabled.
In the Blockly code of the alert, configure the required threshold for failed login attempts after which the alert should be triggered.
In this example, the value is set to 10.
10
In the Context block, select the previously created correlation window.
At the end of the alert configuration, in the send alert block, select the previously created email template.
You are now fully prepared to send alerts containing both the attacker’s IP address and geolocation.
Parser for Cohesity
Download the ready-made parser for Cohesity.
How to Monitor and Maintain Logmanager Health
Learn how to maintain peak Logmanager performance.
Global Filter for Different Groups of Windows Sources
Configure all your Windows Agents with a single action.
Parser for Wallix PAM (Bastion)
Download the ready-made parser for Wallix PAM (Bastion).