Security Alerts - Alerting-and-Reporting-with-NCM/Security-Alerts

Account Locked

Occurs after six failed login attempts on devices with Advanced Security Mode enabled. The account remains locked for 30 minutes. To enable this setting, login to the Device go to System > Administration > Router Security and select Advanced Security Mode.

Additional settings: Account lock alerts can further by refined by selecting Routers or NetCloud.

Selecting only Routers sends alerts when a user enters too many incorrect passwords while attempting to access NCOS.

Selecting only NetCloud sends alerts when a user enters too many incorrect passwords while attempting to access NetCloud Manager.

Failed Login Attempt

Occurs when a login fails on the Device UI login screen.

Additional settings:

Failed login attempt alerts can further by refined by selecting Routers or NetCloud.

Routers alerts include details such as the type of failed login attempt such as, wrong password

NetCloud alerts include the time and date of the failed login attempt, the username, and the source IP address.

Example alert: An attempt to log in as the admin user from 192.168.0.142 has failed

Intrusion Activity

Is only relevant for devices with CP Secure Threat Management. Whenever the Threat Management deep packet inspection engine detects an intrusion, that event is recorded in the logs. These events are grouped together for 15 minutes and then reported in NetCloud Manager, so an emailed alert notification might not arrive for approximately 15 minutes after an intrusion. Intrusion Activity alerts include the intrusion details and the action taken by the engine (e.g., Blocked). To edit Threat Management settings, login to the Device UI and select Security > Threat Management. For more information, see Manual: Network Settings → Threat Management.

IP Address Banned

Occurs if the Ban IP Address setting is turned on for a device and someone from a particular IP address attempts and fails to log into the Device UI six times, that IP address is banned for 30 minutes. To enable this setting, login to the Device UI and go to System > Administration > Router Security and click on Advanced Security Mode. Select the Ban IP Address option.

IPS Engine Failure

For devices using Cradlepoint Secure Threat Management (CPSTM), this alert occurs in the unlikely event that the Threat Management engine fails. You can set the router to either allow or deny traffic with a failure. To edit this setting, log in to the Device UI and go to Security > Threat Management.

IPS Enablement Change

Occurs when Intrusion Prevention Systems / Intrusion Detection Systems (IPS/IDS) has been enabled or disabled using Cradlepoint Secure Threat Management (CPSTM) and provides details about who made the change and when it occurred.

IPS Mode Change

Occurs when the IPS/IDS mode has been changed (for example, from Detect and Prevent to Detect Only) using CPSTM and provides details on what changed, who made the change, and when it occurred.

Rogue Access Point Detected

Occurs after running a WiFi site survey when a rogue access point not marked as "known" is detected broadcasting the same SSID as the device running the site survey. This helps identify potential access-point hijacking, evil twin, and man-in-the-middle WiFi attacks.

SCEP Enrollment Success

This alert is generated when a device successfully enrolls with a SCEP server.

SCEP Enrollment Failure

This alert is generated when a device attempts to enroll with a SCEP server but can't enroll successfully.

Successful Login (Router)

Indicates that a user has logged into the Device UI (requires at least NetCloud OS 5.0.1).

Unrecognized Client

Indicates a client with an unrecognized MAC address has attempted to connect to the device. MAC logging must be enabled to trigger this alert. To enable MAC logging, login to the Device UI and go to Networking > Local Networks > MAC Filter & Logging and select Enable MAC Logging.

Zscaler TLS Tunnel State

Indicates the state of a Zscaler tunnel has changed.