Configuring Alerts¶
Let's configure alerts in WSO2 Identity Server.
Suspicious Login Alerts¶
Follow the steps below to configure suspicious alerts.
- Open the
<IS_ANALTICS_HOME>/wso2/worker/deployment/siddhi-files/IS_ANALYTICS_SUSPICIOUS_LOGIN.siddhi
file. -
Update the
<<NO OF FAILURE ATTEMPTS>>
considered to identify a suspicious login as given below.-- Detecting events from same user. An alert is generated when we make more than five failure login attempts followed by a success from every (e1=OverallAuthenticationStream[ authStepSuccess == false]) -> e2=OverallAuthenticationStream[ authStepSuccess == false AND e1.username == e2.username AND e1.userStoreDomain == e2.userStoreDomain AND e1.tenantDomain == e2.tenantDomain]<<<NO OF FAILURE ATTEMPTS, e.g., 4>>:> -> e3=OverallAuthenticationStream[ authStepSuccess == true AND e2.username == e3.username AND e2.userStoreDomain == e3.userStoreDomain AND e2.tenantDomain == e3.tenantDomain] within 5 min select e2[last].meta_tenantId, e2[last].username, 1 as severity, str:concat('Successful login attempt after multiple login failures with same username detected at: ', time:dateFormat(e3[last]._timestamp,'yyyy-MM-dd HH:mm:ss'), '.') as msg, e2[last].tenantDomain, e3[last]._timestamp as timestamp, e2[last].serviceProvider group by e1.username, e1.userStoreDomain, e1.tenantDomain output first every 1 min insert into LoginAlertStreamSameUsername;
Long Sessions¶
Follow the steps below to configure long session alerts.
- Open the
<IS_ANALTICS_HOME>/wso2/worker/deployment/siddhi-files/IS_ANALYTICS_LONG_SESSION.siddhi
file. -
Update the respective parameters.
-
<<SESSION DURATION> >
: An alert is triggered if the duration of a user session exceeds the number of milliseconds specified in this parameter.from PeriodicalTriggerStream as P join SessionInformationTable as S on S.duration > <<SESSION DURATION, e.g., 900000>> and S.rememberMeFlag == false and S.isActive == true select meta_tenantId, sessionId, startTimestamp, renewTimestamp, terminationTimestamp, endTimestamp, duration, username, userstoreDomain, tenantDomain, timestamp insert into FilterLongSessionsStreams;
-
<<AVERAGE SESSION DURATION PARAMETER>>
: An alert is triggered if the duration of a user session exceeds the average session duration, and if the difference exceeds the percentage specified in this parameter.from FilterLongSessionsStreams as s join AverageSession as t on s.meta_tenantId == t.meta_tenantId and s.tenantDomain == t.tenantDomain and s.username == t.username and s.userstoreDomain == t.userstoreDomain and (s.duration > t.avgDuration * (<<AVERAGE SESSION DURATION PARAMETER, e.g., 50.0>> + 100.0) / 100.0) select s.timestamp, s.meta_tenantId, s.tenantDomain, s.sessionId, s.username, s.duration, t.avgDuration insert into AlertLongSessionsStreamTemp;
-
<<NO OF DAYS>>
: This parameter defines the number of days to be considered when calculating the average session duration. For example, if this parameter is set to7
, the average session duration is calculated based on the duration of all the sessions that occurred during the last 7 days before the current session.TriggerStreamAtDeployment
andTriggerEveryThirtyMinutesStream
are used to calculate the average session duration during the last 7 days at the deployment and for every 30 minutes respectively.from TriggerStreamAtDeployment select convert(time:dateSub(triggered_time,<<NO OF DAYS, e.g.,7>>,'DAY'), 'long') as lastSeventimestamp insert into LastSevenDaysStream; from TriggerEveryThirtyMinutesStream select convert(time:dateSub(triggered_time,<<NO OF DAYS, e.g.,7>>,'DAY'), 'long') as lastSeventimestamp insert into LastSevenDaysStream;
-