Configuring Event Notifications

Notifications inform Administrators of certain events by email. In the Imprivata Admin Console, click the gear icon > Notifications. After you configure a notification, you can enable and disable it as needed.

To set up a Notification:

  1. On the Notification page (gear icon menu > Notifications), click Add. The first page of the Add New Notification page opens.

  2. Select a Notification Type. A context-sensitive set of event conditions and actions is displayed.

    The conditions and action page lists the conditions under which you want to be notified of the event and the means of notification. Each Event has its own set of conditions. Conditions are detailed in Event Filters.

  3. Enter the desired conditions.

  4. Enter the action you want the system to take when the conditions are satisfied. Actions are described in Event Actions.

  5. Click Save.

You can be notified of a variety of different Event Types. Some types are always current; others rely on information from the user’s Imprivata agent. Some events are only useful with some Enterprise Access Management for SSO (formerly Imprivata OneSign) options.

Event Information that is Logged by the Imprivata Agents

Five events are logged by the user’s Imprivata agent:

  • Application Credentials Capture — When the Imprivata agent captures the user’s credentials for an application.
  • Application Credentials Proxy — When the Imprivata agent proxies the user’s credentials for an application.
  • Application Password Change — When the Imprivata agent auto-generates a new password for an application.
  • OneSign Disabled — When the Imprivata agent has been disabled by the user (right-clicking the Imprivata icon in the Windows Notification Area > Disable SSO).
  • Agent Shutdown — When the Imprivata agent has been shut down by the user (right-clicking the Imprivata icon in the Windows Notification Area > Exit). This event is not posted to the Imprivata server until the next time that the Imprivata agent comes online.

    • NOTE: Application events are logged only if you are licensed for Single Sign-On.

The Imprivata agent uploads this information in an audit log at the Imprivata server’s refresh interval. There is always a brief period between the time the credentials are captured and the time the log is posted to the Imprivata server. The notification shows the correct time of the event, not the time of the upload.

The Imprivata appliance can notify you about these events as they occur:

  • Primary Login Success — When a user authenticates successfully
  • Primary Login Failure — When a user authentication fails
  • Primary Lock-Out— When a user is locked out
  • Primary Password Reset — When Imprivata changes a user’s Imprivata password as a result of an Imprivata domain password policy or a self-service password reset.
  • Finger Identification Failure — When a fingerprint scanner registers a fingerprint reading that cannot be uniquely related to a user.
  • Finger Identification Suspension — When fingerprint identification is suspended on a workstation following consecutive fingerprint identification failures in excess of the number set on the Settings page
  • Application Credentials Requested — When a user uses Password Self-Services to request the credentials for an application
  • Enrollment for Password — When a user authenticates to the Imprivata appliance by password for the first time
  • Enrollment for Fingerprint — When a user enrolls a fingerprint to the Imprivata appliance. Each enrollment generates an event.
  • Enrollment for Digipass Token — When a user authenticates to the Imprivata appliance by an unenrolled VASCO Digipass token for the first time. Digipasses can be pre-assigned.
  • Enrollment for ID Token — When a user authenticates to the Imprivata appliance by one-time password (OTP) ID token for the first time
  • Enrollment for External ID Token — When a user authenticates to the Imprivata appliance by OTP token for the first time
  • Enrollment for Proximity Card — When a user authenticates to the Imprivata appliance by password with a proximity card for the first time.
  • Enrollment for FIDO Security Key — When a user authenticates to the Imprivata appliance by password with a FIDO security key for the first time.
  • Enrollment for Smart Card (external) — When a user authenticates to the Imprivata appliance by unenrolled smart card for the first time. Smart cards with Microsoft AD certificates are pre-enrolled, but those with third-party certificates may require enrollment.
  • Enrollment for Question and Answer — When a user completes or updates the enrollment information for Emergency Access or Password Self-Services.
  • Self-Enrollment Declined — When a user declines self-enrollment to fingerprint, OTP token, or password authentication for the fifth time. Each authentication type is tracked separately.
  • Scheduled Synchronization — When the Imprivata appliance has run a scheduled database synchronization, and the number of new EAM accounts added, deleted, and updated, or if no action was taken because the number of user accounts to be deleted exceeded the value set.
  • Change of Domain Controller — When the Imprivata appliance has changed its domain controller connection, either by switching to a peer domain controller or failing to connect to any domain controller.

    • NOTE: If Imprivata cannot authenticate a user to a domain controller because it cannot connect to the domain controller, then Imprivata uses stored credentials until the connection is re-established.

  • Scheduled Report Export — When the Imprivata server has run and exported the results of a report.
  • Policy Enforced in Proxy to RADIUS — When Imprivata does not proxy a network access request to the remote RADIUS server because policy is enforced.
  • Login Failure to RADIUS Host — When a user fails authentication to the Imprivata RADIUS server. The notification text provides the reason for the failure.

Each event type has these parameters to filter events for notification:

  • Date/Time Conditions — Lets you select time parameters; only events that occur at times that meet the time parameters you set are reported. To include two or more non-contiguous time periods, create a Notification for each time period.
  • User Conditions — Lets you select events triggered by all users or individual users. For some event types you can filter the event notification to include all users or limit it to only specific individual users. To include individual users from two or more domains, create a Notification for each domain.
  • Application Conditions (for some event types) — Lets you select the application that is the subject of the event. If you have the Single Sign-On licensed feature, then you can filter the event notification to include all applications or limit it to only a specific application. To be notified of the same event on two or more specific applications but not all applications, create a separate Notification for each application.
  • Workstation Conditions (requires the Finger Identification licensed feature) — Lets you select the workstation on which the event occurred. For two fingerprint identification event types you can filter the event notification to include all specific workstations, listed by hostname, IP address, or MAC address.

If the conditions are satisfied, then Imprivata can:

  • Send an email notificationImprivata sends an email notification of events to an address on the SMTP server listed on the Settings page. The email is automatically generated by Imprivata and cannot be modified. The email is sent every time the event occurs and the conditions of the event are satisfied.

  • Post notification to a URLImprivata can post notifications to a URL that you define. Both HTTP and HTTPS are acceptable, and any valid URL is acceptable.

  • The XML content is automatically generated by Imprivata and cannot be modified. It is updated every time the conditions of the event are satisfied.

  • Exporting notification to the SyslogImprivata can post notifications to the syslog on the Imprivata appliance. For a G4 (fourth generation) enterprise, the data goes to the closest database appliance and from there is it replicated to the second database appliance (if deployed) in the enterprise.