Mail Server
Use the Mail Server page to send incident alerts. You can also create custom delivery rules.
Creating incident alerts
To send incident alerts:
- Go to System > Mail Server. The Mail Server page opens.
- Enable Send Incidents Alerts.
- Configure the mail server settings.
SMTP Server Address
SMTP server address.
Port
SMTP server port number.
From
The mail server email account. This is the "from" address.
Login User
The mail server login account.
Login Password
Enter and confirm the password.
- (Optional) Click Send Test Email to send a test email to one or more email addresses. If an error occurs, the error message appears at the top of the page and is recorded in the System Logs.
- Click Save.
-
Click Back to return to the Mail Server page.
Creating alert delivery rules
To create a alert delivery rule:
- Click Alert Deliver Rule. The Alert Rule dialog opens.
- Enable the rule. When enabled, FortiDeceptor sends an email alert to the Receiver Email List according to the rule
- Configure the rule settings.
Name
Enter a name for the rule.
Incident URL
When enabled, the device hostname is used instead of the management IP.
Note: The device hostname must be able to be resolved in your DNS server for the Incident URL link to work.
Alert Severity
Select Low, Medium, High, or Critical.
Alert Type
Select Connection, Reconnaissance, Interaction, and Infection.
Binary Infection
This options is available when the Alert Type is Interaction or Infection .
Select Yes to be alerted when an attacker drops or downloads suspicious files into decoys.
Incident Alert Section
Select All, Interaction Events Only, IPS events only, or Web filter events only.
Attacker IP/Subnet
Enter one or more values for the attacker IP address or attacker IP network.
Attacker User
Enter one or more values for the attacker username.
To trigger the rule, the username entered by the attacker and the value for Attacker User must be exactly same. The string is case sensitive.
Attacker Password
Enter one or more values for the attacker password.
To trigger the rule, the password entered by the attacker and the value for Attacker Password must be exactly same. The string is case sensitive.
Operation Content
Enter one or more key words that will trigger the rule.
Operation Content supports exact and partial matches. For example, if the value is
Monkey
and the attacker entersKey
, the rule is triggered. However, the rule is not triggered if the attacker only entersey
. Operation Content is not case sensitive.Victim Decoy Name
Select one or more deployed decoys from the Select Entries pane that slides open.
Victim Decoy Port
Enter one or more decoy service port numbers.
Recipients
Enter one or more receiver email addresses.
Display Original Recipient
Enable to view the original recipient of the alert email message.
The relationship between each of the lines in the rule is And. To trigger the rule, all the values must be met. For example, the rule is not triggered if the value for Attacker User is met, but the value for Attacker Password is not.
The relationship for each line of the rule is Or. To trigger the rule, only one of the values must be met. For example, if the values for Attacker User are
Admin
andAdministrator
, the rule is triggered if onlyAdmin
is entered. - Click Save.