This contextual alert provides notifications about the attacker’s IP address and geolocation when a possible brute force attack is detected.

A contextual alert template is available for download below.

What Is a Firewall Brute Force Attack?

A firewall brute force attack is a systematic attempt to gain unauthorized access to a network by repeatedly and automatically trying a large number of login credentials until the correct combination is found (for example, for VPN or SSH access).

Why Use This Alert?

The usefulness of sending an alert with the geolocation of the attack source, for example, after 10 failed attempts from a single source IP address, lies in the rapid detection of incidents and threat identification.

Knowing the geographic origin of the attack (e.g., outside predefined trusted countries) allows the security team to immediately assess the risk and, if necessary, automatically block either the specific IP address or the entire geographic region. This minimizes the attacker’s opportunity window and improves the overall incident response capability.

Configure a Context-Aware Firewall Alert in Logmanager

After a defined number of invalid login attempts on the firewall from a single IP address, the alert sends a notification containing the source IP address of the potential attack and the country from which the attack originates.

Step 1: Create a Correlation Window

In the Alerts & Actions menu, under the Correlations tab, create a new correlation window with the desired duration (for example, 60s). Name the window something like Firewall.

Creating new correlation window in Logmanager

Save the window by clicking the Save button.

Step 2: Create an Email Alert Template

In the Email message templates section, create a new template and insert the following details:

Name:

too many login failed from one IP

Subject:

LM Alert – {{name}} / {{ msg.failed_remote_ip }}

Body:

{% extends "base.html" %}

{% block title %}Alert{% endblock %}

{% block content %}
<h4>VPN alert - neplatné přihlášení z jedné IP adresy. Uživatel <font color="red"><b>{{ msg.username }}</b></font> překročil limit.</h4>

<p>Reason: <b>{{ msg.logdesc }}</b></p>
<p>Reason: <b>{{ msg.msg }}</b></p>
<p>Reason: <b>{{ msg.reason }}</b></p>
<p>Remote IP & Country: <b>{{ msg.failed_remote_ip }}</b></p>
<h3>Uživatel: <font color="red"><b>{{ msg.username }}</b></font></h3>

<hr>

<h1>Alert message</h1>
Alert name: {{ name }}<br>
Alert description: {{ description }}<br>

<h2>Message meta information</h2>
<table style="border: 1px solid rgb(0, 102, 153); border-collapse: collapse;">
    <tr>
        <td style="border: 1px solid rgb(0, 102, 153);font-weight: bold;">Name</td>
        <td style="border: 1px solid rgb(0, 102, 153);font-weight: bold;">Value</td>
    </tr>
    {% for key in meta|sort %}
        {% if key == "src" %}
            {% for src in meta.src|sort %}
                <tr>
                    <td style="border: 1px solid rgb(0, 102, 153);" align="left">{{ key }}.{{ src }}</td>
                    <td style="border: 1px solid rgb(0, 102, 153);" align="left">{{ meta.src[src] }}</td>
                </tr>
            {% endfor %}
        {% else %}
            <tr>
                <td style="border: 1px solid rgb(0, 102, 153);" align="left">{{ key|e }}</td>
                <td style="border: 1px solid rgb(0, 102, 153);" align="left">{{ meta[key]|e }}</td>
            </tr>
        {% endif %}
    {% endfor %}
</table>

<h2>Message data</h2>
<table style="border: 1px solid rgb(0, 102, 153); border-collapse: collapse;">
    <tr>
        <td style="border: 1px solid rgb(0, 102, 153);font-weight: bold;">Name</td>
        <td style="border: 1px solid rgb(0, 102, 153);font-weight: bold;">Value</td>
    </tr>
    {% for key in msg|sort %}
        <tr>
            <td style="border: 1px solid rgb(0, 102, 153);" align="left">{{ key|e }}</td>
            <td style="border: 1px solid rgb(0, 102, 153);" align="left">{{ msg[key]|e }}</td>
        </tr>
    {% endfor %}
</table>

{% if dropped > 0 %}
    <div style="color: #E81E1E">Dropped similar messages: {{ dropped }}</div>
{% endif %}
{% endblock %}


email template alert setup in Logmanager

Save the template by clicking Save.

Step 3: Import and Configure the Alert Rule

Under the Rules tab, create a new alert and paste the alert code into the XML window.

Then switch to the Blocks window.

Assign the alert a name, for example:
too many login failed from one IP

Enter the recipient email address for the alert and switch the alert status to Enabled.

alert rule configuration in Logmanager UI

Step 4: Set the Failed Login Threshold

In the Blockly code of the alert, configure the required threshold for failed login attempts after which the alert should be triggered.

In this example, the value is set to 10.

Threshold setup in Logmanager

Step 5: Select the Correlation Context

In the Context block, select the previously created correlation window.

Blockly firewall alert final configuration in Logmanager

Step 6: Assign the Email Template to the Alert

At the end of the alert configuration, in the send alert block, select the previously created email template.

blockly email template Logmanager

Contextual Firewall Alert Is Ready

You are now fully prepared to send alerts containing both the attacker’s IP address and geolocation.