Merging rules for Portnox Cloud alerts
In this topic, you will find out when Portnox Cloud alerts are merged together into a single compound alert.
| Alert | Time | Number |
|---|---|---|
| 802.1X access attempt denied. LDAP account not found in Portnox repository and LDAP autoenrollment disabled | 30 minutes | 30 |
| 802.1X access attempt denied - AD account is expired | 10 minutes | 10 |
| 802.1X access attempt denied - AD account is locked out | 10 minutes | 10 |
| 802.1X access attempt denied - AD account password is expired | 10 minutes | 10 |
| 802.1X access attempt denied because 'Device Requirement' option is not followed | 10 minutes | 10 |
| 802.1X access attempt denied due to expired credentials | 10 minutes | 10 |
| 802.1X access attempt denied due to Google Workspace account misconfiguration | 10 minutes | 10 |
| 802.1X access attempt denied due to missing credentials | 10 minutes | 10 |
| 802.1X access attempt denied due to missing supplicant certificate | 10 minutes | 10 |
| 802.1X access attempt denied due to supplicant certificate untrusted | 10 minutes | 10 |
| 802.1X access attempt denied due to unsupported authentication type | 10 minutes | 10 |
| 802.1X access attempt denied due to wrong credentials | 10 minutes | 10 |
| 802.1X access attempt denied to unauthorized SSID | 10 minutes | 10 |
| 802.1X wired access attempt denied | 10 minutes | 10 |
| 802.1X wired access attempt denied due to forbidden authentication type | 10 minutes | 10 |
| 802.1X wireless access attempt denied due to forbidden authentication type | 10 minutes | 10 |
| Access denied since Directory Broker does not respond | 10 minutes | 10 |
| Access denied - user name ambiguous | 10 minutes | 10 |
| Access is denied due to the organization exceeding its subscription plan quota | 30 minutes | 10 |
| Access requests become to be served by Portnox Cloud service | 3 minutes | 5 |
| Access requests become to be served by Local RADIUS service | 3 minutes | 5 |
| Access to 802.1X denied - access has been blocked by Azure Conditional Access policies | 10 minutes | 10 |
| Access to 802.1X denied - account is not found | 10 minutes | 10 |
| Access to 802.1X denied - agentless access is disabled | 10 minutes | 10 |
| Access to 802.1X denied by Administrator | 10 minutes | 10 |
| Access to 802.1X denied due to device blocked | 10 minutes | 10 |
| Access to 802.1X denied due to policy violation | 10 minutes | 10 |
| Access to 802.1X denied - total amount of allowed devices per-account is reached | 10 minutes | 10 |
| Access to VPN denied - agentless access is disabled | 10 minutes | 10 |
| Account's certificate has expired | 30 minutes | 30 |
| Account's certificate is about to expire | 30 minutes | 30 |
| Account's certificate was revoked | 1 hour | 10 |
| Account blocked by admin | 2 minutes | 25 |
| Activation code have expired | 10 minutes | 10 |
| Activation code reached attempts limits | 10 minutes | 10 |
| Admin credentials expiring | 10 minutes | 10 |
| AgentP firmware update has occurred | 10 minutes | 10 |
| Applications export was successfully completed | 10 minutes | 10 |
| Application version changed | 3 hours | 30 |
| Authentication with unrecognized LDAP domain name | 30 minutes | 10 |
| Device's client certificate has expired | 10 minutes | 10 |
| Device enrollment failed due to problems with LDAP account | 1 day | 12 |
| Device has become archived | 10 minutes | 10 |
| Device has changed enrollment status | 1 hour | 10 |
| Device has changed its device fingerprint | 1 hour | 10 |
| Device is unauthorized azure computer | 3 hours | 30 |
| Device is unauthorized domain computer | 3 hours | 30 |
| Device jailbroken | 3 hours | 30 |
| Device joined Entra ID Directory | 10 minutes | 10 |
| Device joined LDAP Directory domain | 10 minutes | 10 |
| Device roaming status changed | 3 hours | 30 |
| Device was blocked due to changed device fingerprint | 1 hour | 10 |
| Device was blocked due to excessive activity | 30 minutes | 30 |
| Device was removed during LDAP directory synchronization | 6 hours | 10 |
| Device was successfully validated as azure member | 3 hours | 30 |
| Device was successfully validated as domain member | 3 hours | 30 |
| Directory Broker machine requires update | 6 hours | 10 |
| Domain membership validation failed | 3 hours | 30 |
| Entra ID membership validation failed | 3 hours | 30 |
| Evaluation period is about to expire | 1 day | 12 |
| External sign in success | 10 minutes | 10 |
| Failed to enroll device in unattended mode | 30 minutes | 10 |
| Google Workspace integration is not configured properly | 6 hours | 10 |
| Guest authentication failed | 10 minutes | 10 |
| Guest authentication failed because guest account not found | 10 minutes | 10 |
| Guest authentication failed due to organization license | 10 minutes | 10 |
| Guest authentication success | 10 minutes | 10 |
| Guest forbidden attempt to access employees wireless network | 10 minutes | 10 |
| Host file info was changed | 3 hours | 30 |
| Intune device obtains status 'Compliant' | 3 hours | 30 |
| Intune device obtains status 'Non-Compliant' | 3 hours | 30 |
| Intune synchronization completed | 3 minutes | 5 |
| Intune synchronization failed | 1 day | 12 |
| Jamf synchronization completed | 10 minutes | 10 |
| Jamf synchronization failed | 10 minutes | 10 |
| LDAP directory trust is broken | 6 hours | 10 |
| Local user account(s) on the device changed group membership | 2 minutes | 25 |
| Local user account(s) were deleted from the device | 2 minutes | 25 |
| MAC bypass denied | 30 minutes | 30 |
| NAS was added to Cloud | 6 hours | 10 |
| New application was installed on the device | 3 hours | 30 |
| New certificate was installed on the device | 3 hours | 30 |
| New Intune device was enrolled | 3 hours | 30 |
| New peripheral device was attached to the device | 3 hours | 30 |
| New port was opened on the device | 3 hours | 30 |
| New SIM card was inserted in the device | 3 hours | 30 |
| Okta access attempt denied due to access by not enrolled device | 10 minutes | 10 |
| Okta access denied by Administrator | 10 minutes | 10 |
| Okta access denied due to missing device policy | 10 minutes | 10 |
| Okta access denied due to policy violation | 10 minutes | 10 |
| Okta access not allowed by group settings | 10 minutes | 10 |
| Okta authentication success | 10 minutes | 10 |
| Okta connection not allowed for the device | 10 minutes | 10 |
| Okta Directory synchronization completed | 1 day | 12 |
| OKTA RADIUS forbidden attempt to access with expired credentials | 10 minutes | 10 |
| OS version changed | 3 hours | 30 |
| OTP access attempt denied due to expired token | 10 minutes | 10 |
| OTP access attempt denied due to missing token | 10 minutes | 10 |
| OTP access attempt denied due to wrong token | 10 minutes | 10 |
| Preventive action executed | 3 hours | 30 |
| RADIUS failed to authenticate device against Cloud services | 10 minutes | 10 |
| RADIUS failed to authenticate device due to unsupported authentication type | 10 minutes | 10 |
| RADIUS forbidden attempt to access with expired credentials | 10 minutes | 10 |
| RADIUS forbidden attempt to access with wrong SharedSecret for organization | 1 hour | 30 |
| Synchronization with Google Workspace successfully completed | 1 day | 12 |
| TACACS+ access attempt denied due to sites restrictions. Command-based attribute was not detected | 1 hour | 10 |
| TACACS+ access attempt denied due to sites restrictions. Command-based rule was not detected | 1 hour | 10 |
| TACACS+ access attempt denied due to sites restrictions. NAS was not detected | 1 hour | 10 |
| TACACS+ access attempt denied due to sites restrictions. Session attribute was not detected | 1 hour | 10 |
| TACACS+ access attempt denied due to sites restrictions. Session rule was not detected | 1 hour | 10 |
| TACACS+ access attempt denied due to wrong credentials | 1 hour | 10 |
| TACACS+ access denied - account is not found | 10 minutes | 10 |
| TACACS+ accounting | 30 minutes | 10 |
| TACACS+ authentication attempt denied due to access has been blocked by Azure Conditional Access policies | 1 hour | 100 |
| TACACS+ authentication attempt denied due to account ambiguities. | 1 hour | 100 |
| TACACS+ authentication attempt denied due to blocked by admin account | 1 hour | 100 |
| TACACS+ authentication attempt denied due to expired account | 1 hour | 100 |
| TACACS+ authentication attempt denied due to license limitation | 1 hour | 100 |
| TACACS+ authentication attempt denied due to MFA timeout | 1 hour | 100 |
| TACACS+ authentication attempt denied due to MFA verification failure. Account is not onboarded | 1 hour | 100 |
| TACACS+ authentication attempt denied due to MFA verification failure. Entra ID user must enroll in MFA to access | 1 hour | 100 |
| TACACS+ authentication attempt denied due to MFA verification failure. Entra ID user must perform MFA to access | 1 hour | 100 |
| TACACS+ authentication attempt denied due to MFA verification failure. Entra ID user must refresh MFA to access | 1 hour | 100 |
| TACACS+ authentication attempt denied due to MFA verification failure. There are no suitable devices to process | 1 hour | 100 |
| TACACS+ authentication attempt denied due to MFA verification interruption. Entra ID user must enroll in MFA to access | 1 hour | 100 |
| TACACS+ authentication attempt denied due to MFA verification interruption. Entra ID user must perform MFA to access | 1 hour | 100 |
| TACACS+ authentication attempt denied due to missing TACACS+ policy mapping | 1 hour | 100 |
| TACACS+ authentication attempt denied due to password reset requirements. | 1 hour | 100 |
| TACACS+ authentication attempt denied due to rejected MFA | 1 hour | 100 |
| TACACS+ authentication attempt denied due to server error | 1 hour | 10 |
| TACACS+ authentication success | 10 minutes | 10 |
| TACACS+ authorization attempt denied due to account ambiguities. | 1 hour | 100 |
| TACACS+ authorization attempt denied due to blocked by admin account | 1 hour | 100 |
| TACACS+ authorization attempt denied due to expired account | 1 hour | 100 |
| TACACS+ authorization attempt denied due to license limitation | 1 hour | 100 |
| TACACS+ authorization attempt denied due to MFA timeout | 1 hour | 100 |
| TACACS+ authorization attempt denied due to MFA verification failure. Account is not onboarded | 1 hour | 100 |
| TACACS+ authorization attempt denied due to MFA verification failure. There are no suitable devices to process | 1 hour | 100 |
| TACACS+ authorization attempt denied due to missing TACACS+ policy mapping | 1 hour | 100 |
| TACACS+ authorization attempt denied due to rejected MFA | 1 hour | 100 |
| TACACS+ authorization attempt denied due to server error | 1 hour | 10 |
| TACACS+ authorization success | 10 minutes | 10 |
| TACACS+ command-based connection not allowed for the account | 10 minutes | 10 |
| TACACS+ service connection not allowed for the account | 10 minutes | 10 |
| The evaluation period has expired | 10 minutes | 10 |
| The Portnox Directory Broker is active | 6 hours | 10 |
| The Portnox Directory Broker is dormant | 6 hours | 10 |
| The Portnox Directory Broker is misconfigured | 6 hours | 10 |
| The Portnox Directory Broker is offline | 6 hours | 10 |
| The Portnox Private Access Application is down | 6 hours | 10 |
| The Portnox Private Access Application is up | 6 hours | 10 |
| The Portnox Private Access Gateway is active | 6 hours | 10 |
| The Portnox Private Access Gateway is not reporting | 6 hours | 10 |
| Unable to create account. LDAP autoonboarding disabled | 30 minutes | 30 |
| Unable to enroll a new device | 30 minutes | 10 |
| Unable to enroll a new device due to organization enroll settings | 7 days | 100 |
| Unable to enroll a new device due to organization subscription expiration | 30 minutes | 10 |
| Unattended enrollment: reached maximum number of devices | 1 hour | 100 |
| User repository synchronization is pending | 1 day | 4 |
| VPN access attempt denied - AD account is locked out | 10 minutes | 10 |
| VPN access attempt denied - AD account password is expired | 10 minutes | 10 |
| VPN access attempt denied due to access by not enrolled device | 10 minutes | 10 |
| VPN access attempt denied due to AgentP strong factor validation | 10 minutes | 10 |
| VPN access attempt denied due to AgentP strong factor validation timeout | 10 minutes | 10 |
| VPN access attempt denied due to forbidden authentication type | 10 minutes | 10 |
| VPN access attempt denied due to MFA verification failure. There are no suitable devices to process | 10 minutes | 10 |
| VPN access attempt denied due to no managed devices found to validate risk score | 10 minutes | 10 |
| VPN access attempt denied due to sites restrictions violation | 1 hour | 10 |
| VPN access attempt denied due to supplicant certificate invalid | 10 minutes | 10 |
| VPN access attempt denied due to supplicant certificate issuer untrusted | 10 minutes | 10 |
| VPN access attempt denied due to supplicant certificate untrusted | 10 minutes | 10 |
| VPN access attempt denied due to unsupported authentication type | 10 minutes | 10 |
| VPN access attempt denied due to wrong configuration | 10 minutes | 10 |
| VPN access attempt denied due to wrong credentials | 10 minutes | 10 |
| VPN access denied - account is not found | 10 minutes | 10 |
| VPN access denied by Administrator | 10 minutes | 10 |
| VPN access denied - device not found | 10 minutes | 10 |
| VPN access denied due to missing device policy | 10 minutes | 10 |
| VPN access denied due to policy violation | 10 minutes | 10 |
| VPN access denied - user name ambiguous | 10 minutes | 10 |
| VPN authentication success | 10 minutes | 10 |
| VPN connection not allowed for the device | 10 minutes | 10 |
| Wi-Fi provisioning failed for device | 6 hours | 100 |
| ZTNA authentication success | 6 hours | 10 |
| ZTNA Perpetual Policy Enforcement has failed to perform an action | 1 hour | 5 |
| ZTNA Perpetual Policy Enforcement has performed an action | 1 hour | 5 |