| Description | This article describes how to send an email alert each time an admin-level user’s password is changed. This enhances the security posture of the network as password change might not be intentional every time. |
| Scope | FortiGate 7.x. |
| Solution |
Review the SMTP server settings under config system email-server as described in the following article: Technical Tip: How to configure SMTP using custom server and port on FortiGate.
config system automation-trigger edit "AdminPasswdChanged" set event-type event-log set logid 44547 config fields edit 1 set name "cfgpath" set value "system.admin" next edit 2 set name "cfgattr" set value "password[*]" next end next end
config system automation-action edit "AdminPassChange_email" set action-type email set email-to "example@gmail.com" set email-subject "Admin user %%user%% password was changed" next end
This will send the ‘All fields from the log or FortiAnalyzer event triggering this stitch’ in the email. However, configure the following to get the Source IP and time when this event occurs in the email:
config system automation-action edit "AdminPassChange_email" set action-type email set email-to "example@gmail.com" set email-subject "Admin user %%user%% password was changed" set message "Source IP: %%ui%% Time: %%time%%" next end
Example email alert:
Subject: Admin user test password was changed
Source IP: GUI(172.25.181.194) Time: 11:15:34
config sys automation-stitch edit "AdminLogin_stitch" set trigger "AdminPasswdChanged" config actions edit 1 set action "AdminPassChange_email" set required enable next end next end
Once it is triggered, the following log entry can be observed :
|
